IT organizations around the world continue to navigate ever-increasing cyber threats that require developers and engineers to continuously assess and evaluate potential weaknesses in systems.
The need to improve automation and make it more efficient to support an evolving security landscape is apparent. However, the buck does not stop at the time of deployment of software to production. As new vulnerabilities are discovered, production systems must remain secure. This is incredibly important since business applications can sometimes release new features and functionality at a frequency that outpaces the security environment.
Related: The Art of Possible in DevSecOps
Simply put, new vulnerabilities are discovered all the time. A business application that was deployed vulnerability-free can become vulnerable after its release through the discovery of a previously unknown cyber-attack vector. But there’s good news: DevSecOps can help avoid these risks through continuous security scanning. Many IT professionals are familiar with continuous integration (CI) and continuous delivery (CD). Now we are thinking about continuous compliance.
Continuous compliance scanning is a win for the control groups at an organization because it is an automatic way to record, track, and manage this type of security risk for an enterprise. The automated scans also record evidence of continuous compliance for each passing application in the process. The result is repeatable, sustainable application security.
Automating SAST Scans
Static Application Security Testing (SAST) scans application source code to discover security vulnerabilities. The question is how can we ensure that application code that was secure at release time remains safe as new vulnerabilities may be discovered post release? And perhaps more importantly, how can we do this in a sustainable and repeatable way?
Our DevSecOps team built a process that periodically performs SAST scans, identifying any new source code vulnerabilities and promptly associating them to active production code. This process runs automatically in the background, looking for the that needle in the haystack. System owners and stakeholders are only alerted when action is required on any new risks in their production environments.
Developing Tomorrow’s Solutions
Automating and extending security scans enables an enterprise to react to cyber security events faster and more efficiently, building release-ready code as soon as issues are detected or reported. Beyond that, it improves efficiency, minimizes unnecessary work, and speeds up time to market for products. At DTCC, the DevSecOps automated capabilities allow developers to rapidly address emerging risks while freeing up their time to create innovative solutions to challenging business problems.
This idea of continuous compliance scanning and reporting can be extended to other security and quality tooling. Aggregating results into a single view that proactively monitors, alerts and calls development teams to action as necessary helps to expedite remediation.