The security industry is a pressure cooker. Teams race to get apps ready for the marketplace, often having to make difficult, time-saving decisions that hurt security in the process. The result is constant stress for those who work in DevSecOps, followed by the rising potential for burnout.
- Related Podcast: SecurityWeekly News discussion on burnout
But there are ways security teams can modernize their AppSec approach to relieve stress and burnout while improving one’s security posture in the process. Meaghan McBee of Invicti Security recently outlined AppSec features that can make the difference. – most notably automation.
Skills gap not helping
One cause of burnout in the profession: not enough skilled practitioners to handle an ever-expanding threat landscape. McBee cited a recent Information Systems Security Association (ISSA) study where 70% of members pointed to the lack of help at a time when, according to Verizon’s Data Breach Investigations Report, ransomware attacks have risen 13% in the last year.
For those tasked with DevSecOps and AppSec, the pressures are particularly daunting. It’s exceedingly difficult to find and fix every vulnerability before an application goes to market. Fortunately, McBee wrote, tools exist to help ensure security and alleviate the pressure.
Importance of Automation
“In web application development, subpar security or antiquated tools can create manual work or rework for DevSecOps professionals,” she wrote. “That’s where automation shines, handling those more tedious security processes. When paired together, dynamic application security testing (DAST) and interactive application security testing (IAST) cut back on as much manual work as possible through the automatic discovery and scanning of all applications in development and production.”
Teams can build comprehensive, quick security testing right into the software development lifecycle (SDLC) with automated scans triggered in continuous integration/continuous delivery environments (CI/CD) or scheduled to test apps in production, she said.
- Related SecurityWeekly podcast: Sonali Shah, chief product officer at Invicti Security, discusses solutions to burnout in DevSecOps
“It’s about more than just fortifying security processes in the SDLC; automated vulnerability confirmation enables teams to remediate issues quickly and confidently, freeing up valuable time for security and development professionals so that they can focus on more high-value initiatives,” McBee concluded.