To respond to this question we would need to take a fast look at changes between DevOps, QA, and Security when it comes to automation subjects. For those of us who have been elaborate on the frontlines of outdated AppSec activities such as saturation testing, and dynamic or static code study, it may be noticeable that the traditional tools and techniques we use were manufactured more for waterfall-native relatively than DevOps-native environments. Yet for executives who came to security from infrastructure, networking, or development domains, and have certainly not run a security image, the tasks of bringing traditional toolsets and performs into the new velocity opportunities of DevSecOps may not be so clear.
Today, it is mutual for many security executives to come from non-security domains — in huge part due to the lack of security professionals. To understand the changes between the domains, we should first take a look at the results and measures of traditional security associated with other work. With this understanding, we can substitute more empathy and then work on educating collaboration between the domains.
One key difference between DevOps, QA, and Security is that the first two are actually much deterministic, while the final is not. For security professionals, traditional methods of responsible risks or recommending directions to mitigate risks often need human decisions rather than machine-based activities.
In the situation of architecture review and threat modeling, which are two other significant AppSec activities that are often compulsory by compliance values such as SOC 2, HIPAA or PCI, it becomes even more non-deterministic, because the results of the analysis could be absolutely unpredictable and very much determined by an assessor’s background.
Pointless to say that automation is nowhere close to this type of commotion. The greatest we can do here is to get clear of unnecessary complexity, pseudo-scientific methods to estimating risks (e.g. DREAD), and describe the threats in a simple threat table with severities that everybody would easily understand, i.e. “Low”, “Medium”, “High”.
Does it mean that there is unknown we can do to automate security and make it quicker? Of course not. As security engineers, we can and we should look for new ways to advantage from automation and more deterministic security methods. These thoughts are not original and have been gathering on in recent years. Individually, I’ve been talking about these makes for practically three years by nowadays: first at LASCON 2015, “How Traditional AppSec Desires to Modification,” then at AppSecCali 2016, “Assembly Security Agile,” and just recently at RSA 2017 DevOps, “Receiving Security Up to Speed.”
Information security has the occasion to be fewer of an inhibitor to DevOps performs when the right method is engaged. That said, we should always take into consideration the non-deterministic nature of some necessary security practices and set the expectations right when talking to executives. The bottommost line, security is understood as an inhibitor to DevOps’ Agility since it is an inhibitor in many ways. Human’s efforts cannot always be automated, but there are occasions to progress it by researching new approaches. In this regard, my big hope is that we’ll see a deeper penetration of AI and machine knowledge into the security domain. It won’t be easy, but the improvement in the Intrusion Detection Systems/Intrusion Prevention Systems (IDS/IPS) space makes me think that it will ultimately help to automate outdated AppSec actions as well.