Machine Learning and AI Are Key to the Next Evolution of Automation
Companies who use automation are twice as likely to implement security testing. In addition, there are numerous use cases for machine learning advancements.
Automation is one of the biggest drivers empowering shift-left security. This is backed up by studies showing that companies who use automation are twice as likely to implement security testing. While many organizations know there is a need for automation, and some automation has taken place, there is still more room for improvement. Gartner states that while 95% of respondents use automation, only 33% fully automate their deployment pipeline. Furthermore, Gartner indicates that 32% of organizations manually integrate their security tools*.
* Source: Gartner®, Survey Analysis: Enabling Cloud-Native DevSecOps, Dionisio Zumerle, 13 September 2021
GARTNER is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally and is used herein with permission. All rights reserved.
“Auditing raw static scan results is the most time-consuming and effort-intensive manual aspect of SAST and requires a skillset that is often difficult to find and keep.”
While the challenges and push to automate more of the implementation and tools used throughout the development process continues, we are also seeing more benefits in the form of automated remediation utilizing existing data and machine learning. For example, we are seeing this in software composition analysis with automated pull requests. Fortify has innovated in this space with our Audit Assistant tool as well. Fortify’s application security as a service offering (Fortify on Demand) runs thousands of static, dynamic, and mobile scans per week, scanning billions of lines of code. Fortify on Demand takes customer application source code, runs the scan, and then (as a value-added service) passes these raw scan results to a team of auditors who are subject matter experts. These auditors identify and prioritize the noteworthy findings while removing the noise from the results.
Consequently, Fortify on Demand customers receive actionable results that enable them to focus on fixing the most critical issues.
The Fortify Audit Assistant service uses machine learning algorithms to feed off the hundreds of millions of anonymous audit decisions from Fortify on Demand experts.
These decision models are actively used and developed for Fortify on Demand, but can also be automatically applied on premises to Fortify Static Code Analyzer results by using Audit Assistant. This innovative and patent-pending technology has been available to Fortify customers for the past five years. In the future, we will see more capabilities to do the same for other AppSec vulnerability types, likely starting with a subset of SAST findings (configuration/IaC style, etc.). In addition, there are numerous use cases for machine learning advancements. Our software composition analysis product Debricked does this with Open Source Select, which utilizes it to compare and analyze the health of all open source on GitHub to make better decisions when researching a library or a framework.
With DAST scans aligned with functional test scripts, only the portions of the application that are being worked on remain in the context of the code they were working on. Scans that run automatically and integrate with existing processes and tools keep security and development teams moving quickly. They remain focused on fixing critical issues, not scheduling scans. This approach typically yields better results than the recent increase in an IAST method. Passive IAST doesn't crawl the application and is dependent on the user creating functional testing scripts and manually exercising the application. DAST not only has these capabilities, but is also effective at discovering the attack surface of the application on its own.
This becomes a question of how much you trust QA to create a script for every scenario and code path. Unless they can cover those scenarios 100%, you will still need DAST to find all of the attack surface.
Testing earlier means organizations don’t need to re-orient their entire development process to a late-stage security gate as they did before. This allows for better scalability of DAST, which typically has been a major hurdle for security teams. Solutions that centralize the scanning are a key element of making DAST work at scale in DevSecOps pipelines.