AST as the Key to DevSecOps Maturity episode artwork

EPISODE · May 15, 2020

AST as the Key to DevSecOps Maturity

from Info Risk Today Podcast · host InfoRiskToday.com

DevSecOps is in its "awkward teenage years," says Matthew Rose of Checkmarx. But with new tooling and automation - particularly application security testing tools - he sees the practice maturing quickly and delivering improved outcomes.

Episode metadata supplied by the publisher feed · Published May 15, 2020

DevSecOps is in its "awkward teenage years," says Matthew Rose of Checkmarx. But with new tooling and automation - particularly application security testing tools - he sees the practice maturing quickly and delivering improved outcomes.

PodParley-generated summary based on available episode metadata and transcript content.

NOW PLAYING

AST as the Key to DevSecOps Maturity

0:00 0:00
of MATCHES

TRANSCRIPT · AUTO-GENERATED

Hi, I'm Tom Field, senior vice president of editorial with information security media group. My topic today is why automation of AST solutions is the key to DevSecOps. My guest today is Matthew Rose, he's director of application security strategy with check marks. Matt, thanks so much for spending time with me today.

Oh, thank you for having me. Thanks for the, we don't perform on Matt, it's fine. I just, that's, that's usually when I get a, you know, in trouble when I was a kid that my mother would use the full name. So that works up for me.

Matt, DevSecOps has had an awful lot of attention in recent times, particularly the last couple of years. If you were to take a step back, how would you describe today's state of DevSecOps? It's really interesting to kind of watch the, the evolution of DevOps or DevSecOps depending on who you're talking to in that everybody has an initiative around DevOps, but that initiative is in different phases. Some is just during initial discussions, some is actually a little more concrete.

Some people feel that they're fully based in their DevOps program, which is kind of like a, you know, a false sense of security because really the technology is in the tooling associated with DevOps is still catching up to the speed of DevOps and, you know, every six months there's a new type of technology or tooling that really allows DevOps to work even more effectively. So as we move forward, there's going to be additional automation, additional integration points that really allow DevOps to be mainstream. I think we're kind of still in the awkward teenage years associated with DevOps and a year or two from now, we'll start to be, you know, more of the college student, a little more focused on our goals and life associated with software delivery. You mentioned automation.

How do you find the development teams today are hindered by lack of automation? Automation is kind of what I talk about most, and we got to take a step back to think about that. Legacy software development was, you know, if you go out on Google software, you want to lifecycle say you were depicted linear, you know, they had a beginning and then with DevOps, there's just a process, a living breathing thing that's constantly evolving, and it's usually depicted by an infinity-lover, bow-tie-tyed graphic, and there's different phases. The thing that you need to think about is that there's typically in a very aggressive or modern DevOps program, something happening at every one of those phases all the time.

So the only way to keep up with the speed of DevOps is to automating the tooling, and really what DevOps is, is a overarching group of tools that are automated to work effectively in a repeatable process. I like to say that kind of, you know, a lot of times people don't even know what's happening behind the curtain, they hit a button, and that's the assembly line or the automation of putting together the 10,000 piece jigsaw puzzle that is your software. So it's paramount to the success of DevOps. Now, let's talk about application security testing tools.

How can the ones that leverage automation lead to better results? So that's, again, right in a hot button topic for me. The way that that needs to work is security technologies need to complement DevOps. They need to work the way DevOps works, and as DevOps are starting to evolve, security technologies are still a little bit old-school in terms of implementation.

We need additional steps to configure a security scan. You need an out-of-band processes to allow for security to happen. So from that standpoint, security technologies for a proper automation need to be complementing DevOps, not the other way around, and I like to use pop culture and different references to kind of give people a laugh. Did you ever see the movie Usual Suspects?

Yeah, absolutely. So the one of the famous lines from that movie is, you know, the greatest trick in a paraphrasing, the greatest trick in a developer fold was make the world think you did not exist. That's kind of what security technologies need to do. They need to be in the process, but you don't even know they're there.

They're just baked into the process, and you don't even know they exist, and they just follow the same flow of execution as the normal tooling associated with building software. So now the obvious follow-up, what kind of improved outcomes can we achieve by automating the vulnerability, detection, and triage? So from an application security standpoint, the biggest thing is automation identifies the risk. So you automate static analysis, scanning of the source code, you automate a testing of a running application, you automate the scanning of open source packages.

That's step one. The thing is that automation is now very fluid and producing a lot of data, and the goal of any application security program is around remediation. So not just the automation of the identification of results, but taking it a next step, so how do I circle that back to the people that are responsible for the remediation, and that's taking the automation a step further to integrate with the defect tracking or the bug reports that people are used to using? So the biggest kind of project of the situation is automation could produce more results that you need to be able to facilitate in an efficient way, not just say, hey, we scandal our application for security, we kind of all this stuff, right?

No, that's just the beginning of the equation and the beginning of the story. You need to automate all the way through the path, back to development for remediation, and then you just mix, watch, repeat, start through the flow again. Matt, upcoming you and I get the opportunity to work together on a webinar on this very topic. Why automation of ASD solutions is the key to DevSecOps?

What can attendees expect to learn when we take a deeper dive into this? The biggest thing is best practices. I also give a lot of presentations and talks at major conferences, lunch and learns, all these type of things with my customers and industry professionals. The biggest thing that you need to think about is what are the best practices?

People buy the bleeding edge application security technology piece, technology that they automate, they integrate it, they automate it, they turn it on, how do I make this work effectively? How do I compliment the process? What are the best practices? And there's a lot of different things that you need to do upfront, before you actually turn everything on, make sure the program goes smoothly, and that's really what we're going to talk about.

From a standpoint of our check marks and my new company's ability to execute the recent partner Magic Modern came out and there's a critical capability section and we were rated the highest of any application security testing product for our DevOps automation capabilities because we don't have to do it one way, we can do it through the CI orchestration, from a source code management system. So that really helps with the automation of the technology, but also the best practices to get it working correctly. I'm glad you mentioned that because I did note that check marks has been named a Gartner Magic Quadrant Leader for application security testing for the third consecutive year. What do you find to be the significance of this designation and what do you believe gives check marks and advantage in this marketplace?

So the biggest thing is organizations are really looking for different or a portfolio of products that help them address the risks associated with application security, and we provide a very robust portfolio to identify vulnerabilities at different stages of DevOps. There's a lot of great companies out there that have one product, one capability, but that's just a snapshot in time. You have many different things happening during a DevOps process, so you need the ability to scan on the left in the development environment. You need the ability to scan in the middle, turn the CI orchestration, you need to be able to scan a running application that's complementary to the process.

That's one of the reasons why we have grown so rapidly is that, based on that usual suspects type of comment that I made, that we can actually fit into the process at all those phases without being cumbersome or obstacle to success of the program. There's not one silver bullet in application security, vulnerability identification. You need different snapshots or different processes to identify different risks, and then correlate those results across the different technologies, which allows you a much better and effective way to remediate. The reason being is that there's going to be just too much information to process by itself, so we really help focus the attention, because there's only so many resources available to remediate vulnerabilities and only so much time in the day, and there are so many potential vulnerabilities, we need to work smarter, not easier.

Man, great conversation. I look forward to working with you on the webinar as well. Thanks so much. Thank you so much.

Have a great weekend. Again, we've been talking about why automation of application security testing tools is the key to DevSecOps, and speaking with Matt Rose, director of application security strategy with check marks. For information security media group, I'm Tom Field. Thank you very much.

That Hoarder: Overcome Compulsive Hoarding That Hoarder Hoarding disorder is stigmatised and people who hoard feel vast amounts of shame. This podcast began life as an audio diary, an anonymous outlet for somebody with this weird condition. That Hoarder speaks about her experiences living with compulsive hoarding, she interviews therapists, academics, researchers, children of hoarders, professional organisers and influencers, and she shares insight and tips for others with the problem. Listened to by people who hoard as well as those who love them and those who work with them, Overcome Compulsive Hoarding with That Hoarder aims to shatter the stigma, share the truth and speak openly and honestly to improve lives. The Small Business Startup School – Business Notes | Financial Literacy | Retail Psychology – For Professionals & Entrepreneurs The Small Business Startup School Inc. Starting or buying a small business? While personal circumstances may vary, business patterns remain timeless. On The Small Business Startup School, we explore strategies, insights, and practical solutions to help entrepreneurs confidently navigate their journey.Hosted by Ola Williams—a retail entrepreneur, fintech founder, and financial coach with over two decades of experience—this podcast marries financial awareness and retail psychology with optimism to deliver actionable takeaways.Join us to learn, grow, and connect as we uncover the keys to business success.Let’s continue to learn together and be encouraged to keep on connecting! DIOSA. Carolina Sanper This podcast is a sacred space created by Carolina Sanper where you connect with your inner wisdom and embody your magnetic feminine power.It is the realization that the mystical realm is where you plant the seeds of your desired reality.It is a portal to your true essence: awareness, presence, and receiving with ease. Welcome home, DIOSA. 🖤 XXX Tech by SOVRYN Dr. Brian Sovryn The crossroads between technology, sensuality, and metaphysics - and the longest running anarchist podcast in the world! Brought to you by Dr. Brian Sovryn.

Frequently Asked Questions

How long is this episode of Info Risk Today Podcast?

Episode duration information is not available.

When was this Info Risk Today Podcast episode published?

This episode was published on May 15, 2020.

What is this episode about?

DevSecOps is in its "awkward teenage years," says Matthew Rose of Checkmarx. But with new tooling and automation - particularly application security testing tools - he sees the practice maturing quickly and delivering improved outcomes.

Can I download this Info Risk Today Podcast episode?

Yes, you can download this episode by clicking the download button on the episode player, or subscribe to the podcast in your preferred podcast app for automatic downloads.
URL copied to clipboard!