Not long ago, companies’ technology stacks were defined by hardware, virtual machines, and the occasional cloud. More recently, the traditional stack has been replaced by software, microservices, packaged services, containers, and public cloud. DevOps and continuous integration, continuous delivery (CI/CD) models are now driving forces behind companies that would never have classified themselves as technology companies a few years ago. Yet, organizations today cannot survive without development. We live in a software-defined world, and the expectation is that new software and applications will be delivered quickly, continuously, and will incorporate user-friendly features—without exposing customers or the provider to data loss or breach.
Security has never been fully integrated into DevOps, and the pace of development continues to exceed security’s ability to ensure software is built on bug-free code, that critical updates and patches are addressed ASAP, and even that vulnerabilities can be identified in the first place. Vendors have helped compensate for the security gap, albeit through a disparate set of tools that address security at different phases of development. Each tool offers its own capabilities and advantages, but managing them all is practically a full-time job—one that most companies cannot afford.
Ernesto DiGiambattista is a former security practitioner who, in the mid-2010s, found himself struggling with the aforementioned challenges. He knew there had to be a better way to get a grip on security and regulatory change as they related to development, and thus founded ZeroNorth in 2015. “We live in a world of DevOps and CI/CD,” he said during a recent call. “Infrastructure has become code, it’s not the same old game as 20 years ago. The question is: How do we address visibility and assurance in this software-reliant world? You can’t just scan once per month and expect to be secure.” You also can’t realistically expect security managers or DevOps teams to login and manage 20 different tools without opening up a process vulnerability (on top of any vulnerabilities inherent in software development).
Over the last five years, DiGiambattista and team have built what they term a “risk-based vulnerability orchestration” platform. More simply, ZeroNorth takes a DevOps organization and turns it into a DevSecOps organization—without the political struggles or the resentment. What does that mean in practical terms? Organizations can integrate their deployed vulnerability management tools for static code, vulnerability, artifact/registry, and infrastructure scanning; composition analysis; and dynamic app testing into the ZeroNorth platform for centralized administration. For organizations that don’t yet have these tools deployed, the platform ships with several open source tools for SCA, SAST, DAST, and cloud and container scanning.
After scans are complete, the first result is streamlined and consolidated visibility. After collection, the platform normalizes, de-dupes, and correlates the data so it can be analyzed for business risk impact, then prioritizes vulnerability information in the admin console. Vulnerability information is then automatically sent to the development team’s alerting system of choice—Jira, VictorOps, text, email, or Slack (other integrations may be customized)—so that vulnerabilities and incidents can be investigated quickly and (if necessary) remediated. In this way (except in the face of a potential threat), there is no impact on production environments, allowing security to shift left.
“Our goal,” said DiGiambattista, “was to put the building blocks in place, to help companies remediate as soon as possible, before an incident occurs. Organizations didn’t previously have a good model to identify where vulnerabilities exist and how to prioritize them. It’s hard to keep up with DevOps’ speed, but we’re building a sustainable security program for software development that results in a business discussion.”
Orchestrating and automating correlated data from DevOps and CI/CD workflows without interrupting processes or inserting onerous tasks reduces the friction between development and security teams—what DevSecOps has been trying to achieve for years—while delivering visibility and assurance across the entire development lifecycle. ZeroNorth’s focus on business risk, resultant from DiGiambattista’s experiences as a CTO and security officer at non-tech companies, helps achieve the security-business alignment necessary for security teams trying to prove value without resorting to FUD or technical metrics.
ZeroNorth currently supports dozens of integrations that provide vulnerability discovery tools across the SDLC so competition from individual tool vendors will be minimal. That said, if pitching DevOps teams, the company may come up against reluctance based on historical tensions with security placing itself in the critical path of software delivery. The key play here is seamless integration, a unified view across platforms, and automated vulnerability prioritization. Today, speed is the name of the game in software delivery. Any security platform that can accomplish this without requiring any changes to developer behavior is a win for the business.
If you’re one of the many companies relying on DevOps and CI/CD for the health of your business, give ZeroNorth a call and see what they have to offer.