Manage Learn to apply best practices and optimize your operations.

Wildly outnumbered, app sec pros turn to automation

Today's enterprise app sec pro can be expected to work with as many as 200 programmers. Keeping up with the pace requires security automation.

While security is a growing concern for enterprise software projects, upper management still isn't backing application security with bountiful resources. New vulnerabilities are found every day, which leaves many software development teams in the familiar struggle to do more with less when it comes to security. Shrewd app sec experts have found automation lets them cover more ground in less time and with less staff hours.

Brandon Spruth, an app sec pro with considerable experience in the financial services industry, said application security professionals are always outnumbered by the developers they work with. "When you're putting together an enterprise security program," Spruth said, "automation is the cornerstone."

Matt Tesauro, senior product security engineer at Rackspace, agrees. "We try to automate everything we can because getting the job done without enough people seems to be standard operating procedure [in the industry]."

When you're putting together an enterprise security program automation is the cornerstone.

Brandon Spruth, App sec pro

In fact, Computer Economics studies show that approximately 20% of the staff of a typical IT organization are developers, while only 2% are security professionals. Application security professionals make up only a fraction of that 2%. Anecdotal evidence suggests the ratio of developers to app sec pros can exceed 200:1 in large enterprise application development settings.

Keeping up with that many developers can be very challenging. Both Spruth and Tesauro implemented automated security scanning and tracking with a vulnerability management tool called ThreadFix. ThreadFix doesn't scan for security vulnerabilities itself. Instead, it integrates with a wide variety of open source and proprietary security tools to help application security pros and project managers gain a comprehensive view of their software security.

The development team at Rackspace is very large and contains multiple groups and subgroups, each with its own way of handling security issues and the development process in general. Tesauro said all the teams work through application lifecycle management (ALM) tools from VersionOne. Those tools "give the developers a lot of process malleability, which is great for them," Tesauro said, "but it also made things confusing for us."

Tesauro said his team used to maintain separate Word document scripts that his security pros would use when talking with project managers about security issues. The scripts told the app sec pro which processes that particular development team used and which terminology would be most appropriate. They helped the security pros keep straight important details -- for instance, whether the team in question used Scrum or kanban.

ThreadFix automates that communication aspect to a large degree. The security professionals built a separate profile for each development team, based largely on the information that was in their old scripts. Using these profiles, RackSpace software security engineer Henry Yamauchi was able to write and contribute a piece of code that lets ThreadFix translate bug information for each team and export it right into that team's particular VersionOne-based workflow.

Spruth also uses ThreadFix to help automate the way he communicates security bugs to developers. "The only right way to do that," he said, "is to enter security vulnerabilities directly into the developers' bug tracking system." ThreadFix can export security bug information into the developers' project management system  -- which could be a story backlog, an issue tracking system or even the individual developer's integrated development environment, or IDE.

Doing so helps developers prioritize security issues alongside other bugs and features. This helps application security managers merge security concerns into the developers' natural workflow. Developers don't have to break away from the rest of their work to focus on security, and therefore they're much more likely to address security concerns in a timely manner.

Dig Deeper on Topics Archive

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

This article seems to be very poorly researched. There must be other tools out there which are comparable to the one open source solution mentioned here. Any real life enterprise level solutions you come across? Or was the time limit to write a shoddy article over?
Thanks Brutally Honest Abe,
I always appreciate thoughtful feedback.
There are well-known enterprise application security management products that I should have mentioned. There are off the shelf solutions like HP's WebInspect and IBM's Appscan that provide for the automated use of their own tools. On the plus side, they're simple and they're designed to help enterprises prove regulatory compliance, which may be an organization's biggest concern. On the other hand, these tools are expensive and don't play well with others. Most application security folks I've talked to say that no one set of tools is the perfect fit for everyone. They advise an approach of layering various different security scanners alongside each other to maximize benefits and minimize weaknesses.
This is where a tool like Burp Suite might come in handy. Burp Suite has its own tools to offer, but it also allows app sec pros to automate a collection of third-party scanning tools. Those could be from big commercial vendors like HP and IBM, but are more likely to be a wide variety of free and open source tools. This is one popular alternative to the “automation without vendor lock-in” that ThreadFix provides.
All of those tools, to the best of my knowledge, provide vulnerability information to the app sec pros that run them. Some of them provide an automated way to report those vulnerabilities to management and/or developers.
ThreadFix is the first tool that I know of that provides automated communication of vulnerabilities to the developers within their existing workflow. It automates not only the scanning and discovery of vulnerabilities, but more importantly the creation of actionable defects for the developers that don’t feel separate from the rest of their work. This is really important when the hard part isn’t finding security vulnerabilities, but getting developers to devote time to fixing them.
Thanks again for reading. If you have any more feedback on this or any other articles on the site please feel free to email me at
Thanks for your comments editor. I would disagree with you that threadfix is the first, or even a complete solution in this space. Dradis (also open source) does a good job at it too. NetsPI's CorrelatedVM is perhaps the most complete enterprise ready solution out there in the market for this. Please check them both out. Perhaps a compare and contrast article is in order.
I was completely unaware of Dradis before. I had heard of NetSPI, but not about CorrelatedVM. Thanks for bringing them to my attention. My impression is that over the past two years the Dradis project has started to dry up while ThreadFix has been undergoing a lot of growth. This is based mostly on the data I found at Ohloh ( .
I have nothing bad at all to say about the folks at NetSPI and I would like to see in better detail how ThreadFix and CorrelatedVM stack up against each other, especially in terms of communicating with a large and varied developer pool. I'll try and get some coverage on that before the year is out.
Great. Let me know once you have had a chance to cover NetsPI's solution. I have looked at all three, and CorrelatedVM is currently the market leader by light years in my opinion.