Chapter 3 by Sogeti
Business ●●○○○
Technical ●●●○○
Listen to the audio version
To achieve complete integration and increase application security maturity, we must increase our automation, which is where AI and machine learning come into play.
The problem statement
Recalling the customer pain from the first chapter, we now understand that the client has implemented a security verification system that is integrated into the CI/CD pipeline and DevOps chain. This is unquestionably a step toward closing the loop on a number of issues. Identifying issues early in the development process is critical for reducing the cost of an application's development.
Figure: Relation feedback lenght cycle and costs
As demonstrated by Scott W. Ambler's illustration, test early – test often is a concept that applies not only to the functional levels of an application, but also to non-functional development practices, with a particular emphasis on security. Our client is a strong proponent of this mindset.
However, with the introduction of security testing tools, we frequently see that issues are discovered but not subjected to a security audit. Numerous issues discovered can be classified as non-issues, false positives, irrelevant, or plain old noise. To review each issue discovered, an auditor must review it and flag it appropriately, so that the developer receives a prioritized, audited list of issues that must be addressed. Again, even as a tool improves the scan and issue detection rate, manual work is still required. To achieve full integration and DevSecOps maturity, we must automate even more, which is where AI and machine learning come into play.
In the preceding chapter, we discussed four areas of focus for application security testing. Each area of security has its own approach to AI and machine learning implementation. This is for the various approaches to utilizing these modern capabilities for the purpose of resolving various customer challenges. In this section, we will demonstrate how the various focus areas are utilizing AI in their own unique ways to expedite security verification while maintaining a comprehensive list of issues discovered. This is critical in order to make the DevOps process more appealing, as waiting for scans is not an option. Additionally, by utilizing AI and machine learning, you will minimize the attack surface, lowering the overall risk factor. All of this is accomplished "at the flick of a switch"!
As stated previously, one of the primary benefits of automation is the elimination of manual, tedious work. We eliminated the manual effort required to scan the application. However, the issues we discovered are not automatically tagged with sufficient information to indicate whether or not we should investigate them.
Typically, this work is performed by a subject matter expert, a security auditor. He will conduct an investigation into the identified issues and categorize them according to their level of knowledge and criticality. In many cases, issues discovered are referred to as false positives or are deemed irrelevant. On the other hand, you must also flag issues as exploitable, false positive, and so forth. This work is frequently associated with reviewing an issue in accordance with the standards of a security body (OWASP, CWE, PCI DSS, NIST...). This means that when you discover an issue that the security body has flagged as suspicious, you must conduct additional investigation and tag the issues.
And it is at this point that artificial intelligence and machine learning capabilities become useful. Capgemini Sogeti has a long history with Micro Focus, and Fortify is one of the most robust application security solutions on the market. Fortify has been in the top right corner of Gartner's solidity rankings for many years, and there are numerous reasons for this. One of them is the ability to execute in the area of automation.
Fortify includes a solution called Fortify Software Security Center for static application security testing (SSC). This solution is an administrative platform that enables customers to review and validate their security issues, as well as assign them to a developer, architect, or other appropriate individual. One critical feature is the ability to connect to the Fortify Audit Assistant. This is a database of all known vulnerabilities, to which Fortify customers can contribute their own thoughts on specific items/findings. By reviewing security issues with Audit Assistant, you can automatically determine whether an issue is a genuine one or a false positive. This process, which incorporates machine learning and artificial intelligence, will be able to attribute meaning to findings and, through predictive analysis, flag an issue for the customer.
By doing so, you relieve the customer of manual auditing and add a new dimension to the automated DevSecOps approach – you can now automate the flow, allowing you to go live even if the application has significant security findings. And this is something we believe the DevOps process truly values. Not only do you automatically identify issues (faster), but you also audit them (faster), providing the customer with what we refer to as a true return on investment.
As mentioned in the previous chapter, when it comes to open source libraries, the selection is overwhelming. Keeping track of these, as well as which libraries are safe to use, is a time-consuming manual task for a technician. The risk of not discovering a security breach is also very real, and as a security engineer, we see that maintaining overall security is nearly impossible without automation, and on top of that, AI and machine learning.
There are numerous solutions on the market today that guide customers toward open source library usage recommendations. However, as the percentage of projects introducing libraries continues to grow, it is critical to spend as little time as possible identifying potential risk. Commercial vendors that conduct risk assessments on third parties are typically updated on rules, but also on potentially risky committers. This ensures that when you perform a scan for third-party libraries, you will receive an early notification and, additionally, a recommendation on which library to use.
One of the most significant enhancements to security is the ability to eliminate all manual work by automating as much of the delivery pipeline as possible. Additionally, malicious and potentially insecure libraries should be removed. It's not just about identifying problems; it's also about isolating and mitigating damage to existing solutions.
As a vulnerability scanning vendor, Snyk identifies increased visibility within the DevSecOps chain as a critical component of improved security. This means that by utilizing machine learning for deployment, you may be able to anticipate a potential security breach prior to deploying solutions. Which, once again, is critical to success.
So, we've enhanced our processes for securing our applications throughout the development and release pipeline. Following that, we're going to compile the solution and want to ensure that the application is secure in terms of usage. We discussed how dynamic security penetration testing is used in a quality-control context in the previous chapter. Again, one of the keys to reducing developer/architect noise is to eliminate what is regarded as a finding but is irrelevant.
However, findings are only a subset of the metrics. Another metric to track is the variety of test types utilized in the automated effort. A recent paper on efficient penetration testing discusses the importance of reinforcement learning for efficient network penetration testing, specifically how learning from previous tests executed is critical for increasing testing speed. Similarly, dynamic penetration testing of web applications is being implemented. The attack surface is constantly changing, making it critical to maintain updated rules and vectors. Again, we see the importance of investigating and verifying the most widely known vulnerabilities. Other customers' and users' result sets will serve as a foundation for how testing is conducted, what findings are identified, and how other customers have addressed them.
Finally, what we need to improve is the amount of time we spend identifying issues. Machine learning and artificial intelligence have demonstrated their utility for a variety of purposes, and the ability to predict potential risk areas is the dream scenario. We are not entirely there yet, but we can eliminate some of the attack vectors used by hackers by utilizing tools such as Fortify Webinspect. And an updated system, which includes all new exploit mechanisms, will be critical to accomplishing this.
At this point, we've done everything possible to secure our application prior to putting it into production. And, let us not forget, putting our systems into production entails exposing all risks by allowing anyone to access our application. This also provides an opportunity for hackers and others to begin searching for vulnerabilities. We've made every effort to close as many as possible, but there will always be one item that was overlooked. And new hacking techniques are being developed on a daily basis. As a result, you can never be certain that your application is completely safe and secure.
Numerous organizations have implemented security monitoring solutions, dubbed SIEMs (Abbreviation from Security Information and Event Management). These tools will monitor logs and activities on your systems that could be dangerous. If you come across malicious activity or unidentified actions, you must take some proactive steps to address them. To be honest, modern SIEM solutions have become the de facto standard for auditing compliance and security in a variety of ways. However, it lacks the ability to monitor and protect running applications.
And one critical component of ensuring the security of your applications is the implementation of an application monitoring solution. There are numerous solutions available on the market today that assist in mitigating risks and keeping you informed of potential threats. However, one capability that is critical now, and perhaps even more so in the future, is the ability to predict and prevent irrational and malicious behavior. Dynatrace and Micro Focus AppDefender are two examples of solutions that have made significant progress in this area.
To prevent attacks, monitor behavior, and keep you safe, these solutions incorporate AI as a core component and will be able to take proactive countermeasures in the event of an attack. For example, if the system detects a possible DDOS attack, it can shut down the surrounding networks in order to mitigate the damage. Alternatively, specific domains, IP ranges, and other identifiable sources may be denied access to your application based on a risk history.
It is one thing to be able to identify a risk; however, as long as remediation requires manual intervention, you will always be too late. With automated, AI-powered elements assisting you in the monitoring space, you will not only be able to sleep soundly at night, but you will also be able to protect the data, the client, and yourself.
Therefore, let us revisit the customer with whom we worked in the previous chapter, who was heavily burdened by manual work and time-consuming tasks related to resolving security issues. To begin, introducing security testing early in the development lifecycle had the immediate effect of allowing developers to verify their own code prior to uploading it to the deployment pipeline.
A very clear reward here was to reduce the lengthy list of issues discovered during third-party code verification. Another obvious benefit was the ability to identify risky third-party libraries and, additionally, to know which libraries to replace them with, thereby reducing the risk of unintentional security flaws from third-party vendors. Finally, we observed that the developers' overall behavior improved, resulting in a decrease in the number of security issues developed. One of the greatest rewards is that the more aware developers become of their own habits and how to avoid them, the greater the reward.
However, the most significant effect we discovered was a reduction in time spent searching for and resolving issues late in the project. Early detection has the greatest impact on project cost savings, and this is true for security testing as well as other types of testing. On these subjects, there is no distinction. Conduct early testing, address critical issues, and automate as much as possible. This will always be the optimal solution for the businesses we seek to assist. And with the addition of AI and machine learning, we can improve this even further.
Thor Olav Sørnmo
Thor Olav Sørnmo is a distinguished solutions architect, with more than 20 years experience from multiple roles in the IT-industry. Over the last decade, Thor Olav has been focusing on automation, efficiency and agility in smaller and larger projects, developing solutions that provides commercial value and cost savings for the clients he has worked for. Thor Olav has been focusing on security in the automation space, covering code analysis and application verification using a modern approach and tools that enables deployment at a fast pace.
He is in Capgemini responsible for automation and performance for testing complex software solutions, where security proves to be more and more important to the clients for every month. Thor Olav also liases as an advisor internally for the evaluation of, and procurement of tools for his clients which will bring the best value when evaluation criterias lies withing cost, benefit and long term KPIs, such as improvement in quality and a satisfied end user.
Currently, Thor Olav operates as a managing consultant and advisor to key important clients on a national and global scale for Capgemini, covering test automation and performance testing, in addition to managing the test processes for one of his clients.
Thor Olav is an expert in performance engineering, security testing and verification and also operates and manages test process improvement for clients where this is fit. But he always blooms and brings the most value to his clients whenever he can help in finding ways to automate and effectively manage the processes in development and test, ensuring that innovation is kept alive, delivered rapidly, and with high quality and low risk.
Part of the Capgemini Group, Sogeti operates in more than 100 locations globally. Working closely with clients and partners to take full advantage of the opportunities of technology, Sogeti combines agility and speed of implementation to tailor innovative future-focused solutions in Digital Assurance and Testing, Cloud and Cybersecurity, all fueled by AI and automation. With its hands-on ‘value in the making’ approach and passion for technology, Sogeti helps organizations implement their digital journeys at speed.
Visit us at www.sogeti.com
Capgemini is a global leader in partnering with companies to transform and manage their business by harnessing the power of technology. The Group is guided everyday by its purpose of unleashing human energy through technology for an inclusive and sustainable future. It is a responsible and diverse organization of 270,000 team members in nearly 50 countries. With its strong 50 year heritage and deep industry expertise, Capgemini is trusted by its clients to address the entire breadth of their business needs, from strategy and design to operations, fueled by the fast evolving and innovative world of cloud, data, AI, connectivity, software, digital engineering and platforms. The Group reported in 2020 global revenues of €16 billion.
Get the Future You Want!