A Guide To Automated Continuous Security Testing in DevOps

The acceleration of application development has shown no sign of stopping. As a result, we’re seeing increasingly complex, interconnected software.

These forces are driving organizations to go beyond merely identifying common security errors or protecting against common attack techniques. Increasingly complex applications are calling for the need to anticipate, detect, and respond to new threats. Progressive organizations are betting that continuous testing is the answer proactively mitigating against new threats.

What is Continuous Testing in DevOps?

Continuous testing in DevOps enables security teams to keep pace with development and operations teams in modern development, and to deliver deep integration and automation of security tooling. These requirements have led to increased interest in emerging techniques that prioritize automation, accuracy, and simplicity.

ForAllSecure interprets this as evolving security testing from the traditional checkpoint in the software development lifecycle (SDLC) to a discipline that occurs throughout the development process. By embracing continuous security testing, organizations receive timely results throughout an application’s lifecycle while cultivating a security mindset.

Evolution of Development

Software is an important part of any business—whether to offer a service, an operation, or customer engagement. In 2019, Satya Nadella, CEO of Microsoft, software company. He predicts that in 10 years there will be no demarcations between the “tech industry” vs. “other industries.”

Nadella is right. The proof is in the pudding. And it’s redefining the way we do business. Time and time again, we’ve seen software disrupt the way a business -- and, at times, markets -- operate. Because software is such a huge change agent, we’re seeing the market wanting more. They can’t get enough software. Google Chrome has 6.7 million lines of code; a Boeing 787 Dreamjet has 16.5 millions lines of code. Facebook has 65 million lines of code. And an autonomous vehicle will contain over 100 million lines of code. So, it comes as  surprise that developers are coding faster than ever. Brilliant, creative developers are solving some of our toughest challenges with code, and they’re having to do it while managing 

Download: Guide To Automated Continuous Security Testing

See how continuous testing enables security teams to keep pace with development and operations teams in modern development, and to deliver deep integration and automation of security tooling.

Download the Whitepaper More Resources

With software being produced at such scale, the big question is: What gets left behind? The answer? Perfection.

In the process of getting code out the door, developers occasionally misplace brackets, make copy and paste errors, misspellings -- all of it -- leading to honest mistakes (defects) that leave organizations increasingly vulnerable to attack. How many mistakes?

Cybersecurity Ventures predicts that the number of zero- day exploits (which doesn’t include known vulnerability exploits) will rise from one-per-week to one-per-day by next year. This is a problem. Worse, market projections show that there’s not secure this much code. In 2019, the International Information System Security Certification Consortium (ISC2) released a workforce study found that there’s a shortage of infosec experts, a shortage that’s estimated to be nearly 4.8 million worldwide. In APAC alone, there’s a shortfall of 2.6 million experts. And in North America, it’s a half a million. Part of the problem is both training and recruiting new talent.

The consequences are real in the commercial space. Sixty percent of hacked small and medium-size businesses go out of business after 6 months. A National Cyber Security Alliance reported that in a survey of 1,009 small businesses with 500 employees 10% went out of business; 25% had to file for bankruptcy; and 37% percent experienced financial loss.

In the Federal space, military software systems, for example, need to last decades out in the field. This is counter to what we do today. With the advent of IoT, as soon as the software is outdated, the device itself is considered disposable. That’s not possible with a multimillion dollar fighter jet. Take the F-15, for example. The F-15 was designed over 45 years ago, before the 1988 Morris internet worm. The USS Nimitz is just as old; it was commissioned in 1975.

The F-22 Raptor first flew in 1997—well before format string vulnerabilities were widely studied. So while it’s refreshing to design technology to be non-disposable, most software has a 3 year lifetime at best. What’s needed is a continuous evolution of the software, with vigorous cycles of testing and updating of the code. This is counter to what we have traditionally done with software development.

Learn more by downloading our Guide To Automated Continuous Security Testing