ARTICLES

Application Security Orchestration and Correlation for the Enterprise

Software vulnerabilities continue to plague enterprise organizations. From patching old software to testing new applications before they are out in production, vulnerabilities are part of the process, so it seems. Thus, the security testing market is robust, and a necessary component in organizations’ security (and risk) programs. Over the years, one of the challenges in software testing has been deciphering who owns the program. Security is ultimately responsible for guarding all organizational assets, but DevOps has a responsibility for building secure software. However, as DevOps has become a revenue-generating business unit of the organization, thus gaining more power and influence, developers have tried to put the kibosh on any testing that slows the delivery process or breaks their applications. This is not to say that security isn’t important to developers; but any security testing must align with DevOps’ goals and processes.

As such, testing vendors have responded by building out their products to meet the needs of developers, striving to become the unicorn DevSecOps-friendly tool that everyone can finally use. Today, the software security testing market has plentiful commercial and open source options. Broadly speaking, tools fall into three categories—tools for testing:

  1. Custom/Open source code
  2. Third-party components
  3. The host site/network where the software resides

If you’ve ever evaluated the software security testing market, you know that there are best-of-breed vendors in each space, and then some vendors that span spaces. In the best cases, a vendor might sell a product suite, where testing solutions are integrated and analysts can correlate outputs. This, of course, is the desired state: a full-complement suite with correlated results that can be prioritized for remediation.

The problem, however, is the diversity between the tools’ testing focus and the results they produce. Each vendor, in an effort to offer a unique value proposition, tests different aspects of software, and so the findings between platforms are almost always inconsistent. What this means is that enterprises, especially those with large DevOps teams, need to avail themselves of multiple tools to ensure they’re surfacing all the business-critical vulnerabilities. As a result, the software security testing market has become very complicated and difficult to manage.

The issues are compounded by a lack of integration; for obvious reasons, software testing vendors do not always foster compatibility with other—potentially competitive--testing products. This leaves developers and security teams with the clunky, manual, challenging tasks of cross-platform correlation and analysis, which slow down the deployment process and run counter to the goals of DevOps.

Creating a bridge

With a background helping government and military organizations stand up their cyber security functions, coupled with a PhD in experimental psychology, Dr. Anita D’Amico knew she wanted to help organizations diagnose problems in their software before those problems turned into large-scale breaches. In the early 2000s, as the founder of the Secure Decisions division at Applied Visions, D’Amico led the development of new technologies to help the Department of Homeland Security (DHS) with application security, cyber security visualization, and security education. In this role, D’Amico was awarded funding for one of the largest R&D efforts ever put forth by the DHS Security and Technology Directorate.

D’Amico and team’s early work in application security R&D led to the development of what is now an application security orchestration and correlation (ASOC) platform offered by Code Dx, Inc., a startup out of Northport, NY. D’Amico spun out Code Dx as a separate company, bringing over subject matter experts from Secure Decisions and adding new sales and marketing talent to commercialize the technology.

Today, Code Dx is the automated orchestration layer that allows organizations to use as many of the best-of-breed players as they want or need, gaining coverage for all three attack surfaces in software—code, third-party components, and the host site. The advantage of Code Dx is that organizations can effectively test without the manual effort and inconsistencies often associated with multi-tools management.

Continuous, integrated visibility

Code Dx facilitates continuous application testing across the entire lifecycle of software. Code Dx Enterprise, the company's flagship product, integrates with 75 commercial products and 16 open source products to provide orchestration, normalization, correlation, de-duplication, prioritization, remediation tracking, compliance tracking, and visualization of software risk. In a recent conversation with D’Amico, she called Code Dx a “system of record” and “central repository” in which developers and testers can view and understand software vulnerabilities. Importantly, though the focus is on security testing, Code Dx also exchanges data with other DevOps tools so that developers can continue with normal processes and not have to think about additional steps or tools management.

Orchestration is becoming a mandatory security and vulnerability management functionality, given the plethora of deployed technologies in organizations’ ecosystems. D’Amico wanted to give application security and DevOps teams something tailored to their needs and built with the rigor, discipline, and threat focus she had acquired working on behalf of the U.S. government. “Ninety percent of breaches can be tracked back to software vulnerabilities,” she said, quoting publicly published industry sources, “so obviously organizations need to use every resource they can to mitigate risk. No single tool does a complete job. This creates inability for analysts to see across threat surfaces. Our enterprise solution provides automation, integration, and a consistent, normalized view that reduces false positives, speeds up software deployment, and minimizes risk from software vulnerabilities.”

The takeaway

The challenges for Code Dx will be educating the market about this new Application Security Orchestration and Correlation (ASOC) capability and aligning with developers’ personal preferences—Code Dx will have to appeal to developers or it could end up in the DevSecOps graveyard like so many technologies before it. The team has a strong technical background and is making considerable inroads into this new market segment of application security. The advantage D’Amico and team have is their experience, particularly in the government space where buyers/users are even less forgiving than in the private sector. They know how to build a world-class tool, and they have the right idea about cross-platform integration, correlation, and analysis. Code Dx is one to watch; as ASOC gains more traction, Code Dx is one of the early entrants and their technology will stand up against any competitor.