Hi, I'm Tom Field, senior vice president of editorial with information security media group. My topic today is why automation of AST solutions is the key to DevSecOps. My guest today is Matthew Rose, he's director of application security strategy with check marks. Matt, thanks so much for spending time with me today.
Oh, thank you for having me. Thanks for the, we don't perform on Matt, it's fine. I just, that's, that's usually when I get a, you know, in trouble when I was a kid that my mother would use the full name. So that works up for me.
Matt, DevSecOps has had an awful lot of attention in recent times, particularly the last couple of years. If you were to take a step back, how would you describe today's state of DevSecOps? It's really interesting to kind of watch the, the evolution of DevOps or DevSecOps depending on who you're talking to in that everybody has an initiative around DevOps, but that initiative is in different phases. Some is just during initial discussions, some is actually a little more concrete.
Some people feel that they're fully based in their DevOps program, which is kind of like a, you know, a false sense of security because really the technology is in the tooling associated with DevOps is still catching up to the speed of DevOps and, you know, every six months there's a new type of technology or tooling that really allows DevOps to work even more effectively. So as we move forward, there's going to be additional automation, additional integration points that really allow DevOps to be mainstream. I think we're kind of still in the awkward teenage years associated with DevOps and a year or two from now, we'll start to be, you know, more of the college student, a little more focused on our goals and life associated with software delivery. You mentioned automation.
How do you find the development teams today are hindered by lack of automation? Automation is kind of what I talk about most, and we got to take a step back to think about that. Legacy software development was, you know, if you go out on Google software, you want to lifecycle say you were depicted linear, you know, they had a beginning and then with DevOps, there's just a process, a living breathing thing that's constantly evolving, and it's usually depicted by an infinity-lover, bow-tie-tyed graphic, and there's different phases. The thing that you need to think about is that there's typically in a very aggressive or modern DevOps program, something happening at every one of those phases all the time.
So the only way to keep up with the speed of DevOps is to automating the tooling, and really what DevOps is, is a overarching group of tools that are automated to work effectively in a repeatable process. I like to say that kind of, you know, a lot of times people don't even know what's happening behind the curtain, they hit a button, and that's the assembly line or the automation of putting together the 10,000 piece jigsaw puzzle that is your software. So it's paramount to the success of DevOps. Now, let's talk about application security testing tools.
How can the ones that leverage automation lead to better results? So that's, again, right in a hot button topic for me. The way that that needs to work is security technologies need to complement DevOps. They need to work the way DevOps works, and as DevOps are starting to evolve, security technologies are still a little bit old-school in terms of implementation.
We need additional steps to configure a security scan. You need an out-of-band processes to allow for security to happen. So from that standpoint, security technologies for a proper automation need to be complementing DevOps, not the other way around, and I like to use pop culture and different references to kind of give people a laugh. Did you ever see the movie Usual Suspects?
Yeah, absolutely. So the one of the famous lines from that movie is, you know, the greatest trick in a paraphrasing, the greatest trick in a developer fold was make the world think you did not exist. That's kind of what security technologies need to do. They need to be in the process, but you don't even know they're there.
They're just baked into the process, and you don't even know they exist, and they just follow the same flow of execution as the normal tooling associated with building software. So now the obvious follow-up, what kind of improved outcomes can we achieve by automating the vulnerability, detection, and triage? So from an application security standpoint, the biggest thing is automation identifies the risk. So you automate static analysis, scanning of the source code, you automate a testing of a running application, you automate the scanning of open source packages.
That's step one. The thing is that automation is now very fluid and producing a lot of data, and the goal of any application security program is around remediation. So not just the automation of the identification of results, but taking it a next step, so how do I circle that back to the people that are responsible for the remediation, and that's taking the automation a step further to integrate with the defect tracking or the bug reports that people are used to using? So the biggest kind of project of the situation is automation could produce more results that you need to be able to facilitate in an efficient way, not just say, hey, we scandal our application for security, we kind of all this stuff, right?
No, that's just the beginning of the equation and the beginning of the story. You need to automate all the way through the path, back to development for remediation, and then you just mix, watch, repeat, start through the flow again. Matt, upcoming you and I get the opportunity to work together on a webinar on this very topic. Why automation of ASD solutions is the key to DevSecOps?
What can attendees expect to learn when we take a deeper dive into this? The biggest thing is best practices. I also give a lot of presentations and talks at major conferences, lunch and learns, all these type of things with my customers and industry professionals. The biggest thing that you need to think about is what are the best practices?
People buy the bleeding edge application security technology piece, technology that they automate, they integrate it, they automate it, they turn it on, how do I make this work effectively? How do I compliment the process? What are the best practices? And there's a lot of different things that you need to do upfront, before you actually turn everything on, make sure the program goes smoothly, and that's really what we're going to talk about.
From a standpoint of our check marks and my new company's ability to execute the recent partner Magic Modern came out and there's a critical capability section and we were rated the highest of any application security testing product for our DevOps automation capabilities because we don't have to do it one way, we can do it through the CI orchestration, from a source code management system. So that really helps with the automation of the technology, but also the best practices to get it working correctly. I'm glad you mentioned that because I did note that check marks has been named a Gartner Magic Quadrant Leader for application security testing for the third consecutive year. What do you find to be the significance of this designation and what do you believe gives check marks and advantage in this marketplace?
So the biggest thing is organizations are really looking for different or a portfolio of products that help them address the risks associated with application security, and we provide a very robust portfolio to identify vulnerabilities at different stages of DevOps. There's a lot of great companies out there that have one product, one capability, but that's just a snapshot in time. You have many different things happening during a DevOps process, so you need the ability to scan on the left in the development environment. You need the ability to scan in the middle, turn the CI orchestration, you need to be able to scan a running application that's complementary to the process.
That's one of the reasons why we have grown so rapidly is that, based on that usual suspects type of comment that I made, that we can actually fit into the process at all those phases without being cumbersome or obstacle to success of the program. There's not one silver bullet in application security, vulnerability identification. You need different snapshots or different processes to identify different risks, and then correlate those results across the different technologies, which allows you a much better and effective way to remediate. The reason being is that there's going to be just too much information to process by itself, so we really help focus the attention, because there's only so many resources available to remediate vulnerabilities and only so much time in the day, and there are so many potential vulnerabilities, we need to work smarter, not easier.
Man, great conversation. I look forward to working with you on the webinar as well. Thanks so much. Thank you so much.
Have a great weekend. Again, we've been talking about why automation of application security testing tools is the key to DevSecOps, and speaking with Matt Rose, director of application security strategy with check marks. For information security media group, I'm Tom Field. Thank you very much.