start portlet menu bar

HCLSoftware: Fueling the Digital+ Economy

Display portlet menu
end portlet menu bar
Close
Select Page

Continuous.

If you’ve been working in DevOps for any length of time, then you have heard this term.  It is the essence of what we are trying to do.  Continuous is used to describe nearly every capability area.  Think:  Continuous Integration, Continuous Build, Continuous Deployment, Continuous Testing, Continuous Delivery, Continuous Monitoring and so on.

But one area hasn’t quite caught up yet.

Today, personal information and data privacy matter more than ever, especially as more interaction is driven through online means.  There are more stringent rules on data collection and use, and regulations like GDPR, NYDFS, and CCPA demand better security for applications.  And these come with serious consequences for violators.

All this means Continuous Security is rising to the forefront.  But what IS Continuous Security?

What is Continuous Security?

Conduct an online search and you will find that most discussions revolve around two main ideas: integrating security testing into a pipeline and providing feedback. Additional discussions revolve around performing these activities in ways that are developer-friendly.  These two areas are also main components of DevSecOps.  Both of these are necessary and awesome to do, but just like automating deployments isn’t the same as doing DevOps, running and reporting on tests in a pipeline isn’t Continuous Security.

Continuous Security is much more, with several different capability areas that need to be addressed, and not all of those align with development in a pipeline.  In fact, we have found that there are six capabilities that make a huge difference.  We have organized these into three thematic areas.  These themes and categories appear in Figure 1 below:

app

Figure 1: Continuous Security Themes

 

Key Continuous Security Themes

In this short blog series, we will dive deeper into each thematic area in turn.  For now, we will introduce these areas and their meaning.

Construct, as you might imagine, deals most directly with how we are making things.  The two capabilities are labeled Design and Automate.  With Design, we want to convey the notion of including security right from the beginning and all throughout the SDLC.  This includes planning, modeling, prioritization and more.  The Automate capability is where most begin with DevOps and DevSecOps, but Automate is more than simply running tests in a prescribed manner.  It involves behavior and decisions as well.

Intensify.  This area is all about how can we do what we do, but better.  Intensify helps address the processes, procedures and learning that is needed to optimize.  The Educate capability is needed to continually improve not only code quality, but also improve estimates and trade-off decisions.  Educate helps us answer the question: “How are we equipping our teams to be able to succeed?”  The Govern capability enables us to move data effectively and make decisions with confidence.  Govern examines our processes and helps us balance policies with projects so we can gain productivity.

Assure. This area is all about using the data and information we have to make better, more informed decisions that influence the entire SDLC.  The capabilities of Audit and Measure are meant to help utilize data to drive the business.  For example, with audits, does information from pen-testing teams get into developer backlogs?  When we measure, do we know what the key metrics and measures that provide the greatest benefit to risk management are?  These capabilities help determine if we are able to balance risk and speed.

Each of these areas will be explored more in depth in separate blogs and we invite you to read the series and share your comments.  In addition, you can hear more thoughts on comments on Continuous Security by viewing our recent webinar on Brighttalk or by listening to Episode #7 of our Application Paranoia Podcast, which can be found on Buzzsprout, Apple Podcasts, Spotify or Google Podcasts.

 

 

Comment wrap

Start a Conversation with Us

We’re here to help you find the right solutions and support you in achieving your business goals.

  |  December 23, 2024
Transforming Application Security Testing with Developer-Centric DAST
Empower developers to find and fix vulnerabilities early with developer-centric DAST. Learn how this approach can improve your application security testing.
  |  October 29, 2024
HCL AppScan 360º v1.4.0: Redefining AppSec with Powerful New Features
Explore HCL AppScan 360º v1.4.0 with VM installation, GitHub integration, GenAI AutoFix, and enhanced DAST/SAST features for seamless security management.
  |  October 28, 2024
DAST and SCA Capabilities: Latest Updates in HCL AppScan on Cloud
Discover the latest DAST, SCA, and integration updates in HCL AppScan on Cloud, enhancing application security and streamlining development workflows.