Continuing our evaluation of legacy DAST vs Modern DAST, we’ve taken a light-hearted look at the operational and process challenges experienced by DevOps, Cybersecurity teams and QA when preparing Apps for release to the wild.
Likening the process to a game of ping-pong*, with DevOps and Cybersecurity teams batting stuff back and forth, here’s what we imagine it must feel like on both sides of the net.
There’s an inevitable increase in demand to meet operational and commercial objectives, with over half of all businesses increasing the number of apps they release 100-fold. DevOps teams are expanded to keep pace with the demand.
While the commercial and operational benefits are significant, so too are the security risks if releases aren’t thoroughly checked. Cybersecurity teams are already under pressure as the overall risk landscape increases. More apps testing means more pressure.
Seems obvious, more apps, more DevOps staff, so build the cybersecurity team accordingly.
Testing is historically a semi-automated or manual process so, while there are a number of tools available to search for risks, they all require interpretation by a qualified security professional to evaluate and determine risk, grade them and identify real risk from false positives.
As you’d expect, the growing demand for apps leads to delivery pressures and dev teams need to plan work, including code amendments from security testing.
All this leads to backlog and compromise, with security teams being asked to prioritise risks so DevOps can finish and release apps.
Prioritisation doesn’t remove security risk so, as teams compromise on which fixes they’ll address, businesses are faced with a growing security shortfall – or debt.
Operational imperatives prevail, but accountability is a reality with the teams looking to ensure their reputations – and ultimately jobs - remain intact.
Who’s at fault for the backlog, bottlenecks and where does responsibility lie when a breach occurs?
Things are hotting up now, with accountability and responsibility being battled with no shortage of all-out smashes and unexpected spin.
Legacy DAST has been around for years to support the security process, but these tools still require manual intervention.
Modern DAST is unique and, in the hands of DevOps, they’re able to test as they go. Using automation and AI, it gives them fast, accurate test results with no false-positives.
This means, cybersecurity teams are only testing a final version, not every stage.
Legacy DAST and associated licensing models are a considerable constraint.
Modern DAST is cloud-based, so the whole DevOps team can use it without restriction.
Because DevOps are carrying out security testing, its easier to schedule workloads, resulting in faster turnaround of your all your apps. More apps, delivered faster.
DevOps are in full control here, so there’s no ping pong between teams, less need for prioritisation of work and more bugs corrected.
But what about the security team? How do they fit in?
With the mundane testing taken care of, security teams can focus on the wider threat landscape within the business
The Modern DAST has given ownership and control to DevOps to better manage their workloads, removed the complexities associated with traditional security testing - like false positives - reduced the need for security debt and released security teams to focus on the risks that really matter.
(* Ping-pong: UK slang for Table Tennis)
Bright Security are no exception, but we we're impressed with their customer portfolio. Here are some of the brands they work with:
AUTOMATED Application Security Testing for SOFTWARE DEVELOPERS
And why they’re crucial
A must-read for DevOps and Cyber Security leaders
Apples and Pears, or on the same side?
Digital transformation is different in every organisation, but a key contingent involves the business implementing new strategies around how they deploy technology and the security required to keep business assets safe
Application security testing can be categorized into three types: black-box, grey-box, and white-box testing.
Bright Security is the industry's first zero-false positive, fully automated AI-DAST platform built for developers and modern development environments.
Security Misconfiguration: Impact, Examples and Prevention
Sign up for free trial. No credit card required.
The Winning Approach to Microservices Security
NeuraLegion helps significantly improve application security at a lower cost by providing no false-positive, AI-powered DAST & Fuzzer solutions, purpose-built for modern development environments.
Power and control in the hands of DevOps. Scanning in minutes, not hours
Richard Dickinson, EMEA Sales Director, Bright Security
Delivering stability, control, cost savings and speed to market
Enabling the ‘Shift Left’. FAST
Share this story
Let us know what you think about the article.
We're a community where IT security buyers can engage on their own terms.
We help you to better understand the security challenges associated with digital business and how to address them, so your company remains safe and secure.