While security is a growing concern for enterprise software projects, upper management still isn't backing application
security with bountiful resources. New vulnerabilities are found every day, which leaves many software development teams in the familiar struggle to do more with less when it comes to security. Shrewd app sec experts have found automation lets them cover more ground in less time and with less staff hours.
Brandon Spruth, an app sec pro with considerable experience in the financial services industry, said application security professionals are always outnumbered by the developers they work with. "When you're putting together an enterprise security program," Spruth said, "automation is the cornerstone."
Matt Tesauro, senior product security engineer at Rackspace, agrees. "We try to automate everything we can because getting the job done without enough people seems to be standard operating procedure [in the industry]."
When you're putting together an enterprise security program automation is the cornerstone.
Brandon Spruth, App sec pro
In fact, Computer Economics studies show that approximately 20% of the staff of a typical IT organization are developers, while only 2% are security professionals. Application security professionals make up only a fraction of that 2%. Anecdotal evidence suggests the ratio of developers to app sec pros can exceed 200:1 in large enterprise application development settings.
Keeping up with that many developers can be very challenging. Both Spruth and Tesauro implemented automated security scanning and tracking with a vulnerability management tool called ThreadFix. ThreadFix doesn't scan for security vulnerabilities itself. Instead, it integrates with a wide variety of open source and proprietary security tools to help application security pros and project managers gain a comprehensive view of their software security.
The development team at Rackspace is very large and contains multiple groups and subgroups, each with its own way of handling security issues and the development process in general. Tesauro said all the teams work through application lifecycle management (ALM) tools from VersionOne. Those tools "give the developers a lot of process malleability, which is great for them," Tesauro said, "but it also made things confusing for us."
Tesauro said his team used to maintain separate Word document scripts that his security pros would use when talking with project managers about security issues. The scripts told the app sec pro which processes that particular development team used and which terminology would be most appropriate. They helped the security pros keep straight important details -- for instance, whether the team in question used Scrum or kanban.
ThreadFix automates that communication aspect to a large degree. The security professionals built a separate profile for each development team, based largely on the information that was in their old scripts. Using these profiles, RackSpace software security engineer Henry Yamauchi was able to write and contribute a piece of code that lets ThreadFix translate bug information for each team and export it right into that team's particular VersionOne-based workflow.
Spruth also uses ThreadFix to help automate the way he communicates security bugs to developers. "The only right way to do that," he said, "is to enter security vulnerabilities directly into the developers' bug tracking system." ThreadFix can export security bug information into the developers' project management system -- which could be a story backlog, an issue tracking system or even the individual developer's integrated development environment, or IDE.
Doing so helps developers prioritize security issues alongside other bugs and features. This helps application security managers merge security concerns into the developers' natural workflow. Developers don't have to break away from the rest of their work to focus on security, and therefore they're much more likely to address security concerns in a timely manner.