Secure SDLC Automation: Going Beyond the Scanners

So, we’ve all heard about Secure Software Development Life Cycle (SDLC) and automation. It’s like a vast ocean, isn’t it? You could write a 300-page book just on that! But today, let’s zoom in on a specific challenge in automation. We’re leaving out the usual suspects like Code Scanning, Library scanning, and infrastructure checks because, well, they’re the low-hanging fruits. You throw some code, and the scanner tells you what’s wrong. Easy peasy!

But what’s been swirling in my mind lately are the security assessment activities that need a human touch before software hits production. Think about it:

1. Threat Modelling
2. Penetration Testing
3. Recertification
4. Compliance

Now, how do you automate those bad boys? Truth bomb: you can’t. Sure, you’ll find folks out there making claims about automating everything under the sun. But the reality is, you don’t even know when to schedule a manual penetration test, let alone automate it! (And no, I’m not talking about running a DAST. We’re talking old-school pentesting here!)

So, picture this: You’ve got a software changing faster than the weather in spring (we’re talking continuous deployment era, not stuck in 2005!). When do you even squeeze in a pentest? Some might say every major release, annually, or just before the big launch. But guess what? Those are all guesswork, and they fall apart when your team’s cranking out new features every day.

Now, here’s where it gets interesting. AquilaX is onto something. They believe everything starts with code changes (let’s call them commits). A commit tells you exactly what changed, who did it, and what it does. So, why not use that as a starting point? Imagine building a risk profile of your application based on commits. Each time there’s a change, you assess the risk delta. If there’s a risk spike, ding ding! The engine alerts and puts the brakes on the release until a human (yep, like a pentester) steps in. Simple, right?

While everyone else is fixated on automated code scanning, AquilaX is tackling the big question: How and when does your risk change with every commit?

They’ve got a solution cooking, and they’re aiming to roll it out to customers by 2024. Using a risk tree and AI, they’re sniffing out those risk shifts with every commit. Stay tuned for the demo in the coming months. It’s gonna be a game-changer!