Software applications are everywhere, and the success of every business depends on its ability to develop and deploy business software applications faster and faster.
Since time-to-market is crucially important, businesses simply cannot afford to follow the traditional slower waterfall method of application development anymore. The waterfall model is a sequential approach where changes to the application are deployed perhaps once in many months, and the development team moved to the next phase of development or testing only if the previous step completed successfully.
Application development teams are now adopting agile and DevOps methodologies for rapid application development and deployment. In the agile model, development and testing activities are concurrent and continuously iterated. The application changes are deployed very frequently to the cloud, and so the development, functional, and application security (AppSec) testing teams have tighter collaboration and communication with faster turnaround times. This condition has led to the need to automate the workflow involved in building and deploying applications to the cloud, and subsequently, to the rise of the DevOps role, wherein continuous integration/continuous deployment (CI/CD) tools are used to enable this automation.
Application Security (AppSec) testing needs to be automated as well and made to work in this CI/CD paradigm and be incorporated in the earlier stages of the development cycle (commonly referred to as shift-left). This scenario is where many AppSec testing products may fall short when they are not natively built to support the user experience of developers and DevOps, who typically do not have much AppSec expertise and are unable to use such products effectively. Quite simply, they are not DevSecOps enabled.
DevSecOps is short for development, security, and operations. It refers to automating the integration of security at every phase of the software development lifecycle, from initial design through integration, testing, deployment, and software delivery.
Innovative product offering
AppSec testing is also very fragmented. There are many types of AppSec scans that need to be done on an application to figure out all its vulnerabilities, and these are usually offered by separate products. A multi-product solution creates fragmentation and hinders DevSecOps enablement of AppSec. The industry needs an innovative AppSec product that has DevSecOps in its DNA. It should be easy to use by developers and DevOps without requiring specialized security expertise. It should also be a comprehensive offering covering all types of AppSec scans, including SAST, DAST, SCA, Secrets, and more. FortiDevSec is Fortinet's DevSecOps product. FortiDevSec offers a Cloud/SaaS-based continuous application security testing built from the ground up to natively focus on software developers and DevOps. FortiDevSec enables the shiftleft architecture for application security by finding security vulnerabilities in applications right in the early stages of the development lifecycle, thus allowing the developers to find and fix issues quickly before even the application goes to production. FortiDevSec integrates and sits natively in the application's DevOps CI/CD pipeline. It offers comprehensive application scanning, including scanning source code, third-party libraries, secrets, and live web application URLs. It then aggregates the security issues and presents them in an easy-to-use web portal. Intelligent noise reduction enables developers to prioritize working on the most critical vulnerabilities without overwhelming them.
Simple security for modern app development
Modern application development is a combination of rapid application development using agile methodologies, being cloud-native, using microservices and container-based architectures, using CI/CD to automate build and deployment, and the need to automate application security testing in CI/ CD. FortiDevSec orchestrates and automates continuous application security testing for developers and DevOps directly into the application CI/CD DevOps lifecycle. DevOps can integrate FortiDevSec just by copying a few lines of code into their CI/CD and without requiring any AppSec expertise. This feature allows AppSec to work at the speed of DevOps. FortiDevSec supports all major CI/CD tools, languages, and frameworks. For DevOps, it provides a single automation layer for all application security scan types through a unified yaml configuration. There is no need for DevOps to include multiple plugins for multiple scanners. The scanners come in dockerized images and are always updated to the latest version, providing overall easy manageability.
Comprehensive vulnerability management
Applications need to be secured from multiple attack vectors, and in order to do that, they need to be security tested using many types of scanners. Static or source code testing (SAST) scans the application's own source code, SCA/OSS scans the third-party libraries (typically open-source libraries) included in the application, Secrets scans for open password texts in the code, DAST or dynamic testing analyzes a web application through the frontend to find vulnerabilities through simulated attacks. FortiDevSec provides comprehensive vulnerability management by including multiple types of testing, including SAST, SCA/OSS, Secrets, and DAST. FortiDevSec introspects each application and automatically selects the types of scanning that are needed and relevant for that application based on the application's attributes like languages and frameworks. Scanners are automatically downloaded or updated as dockerized images in the FortiDevSec agent.
Consolidated dashboard
FortiDevSec offers an easy-to-use portal where users can log in and view all the issues across all their applications and all the different scan types. There is no more need to use multiple portals for numerous different and fragmented scanners. Scan results are first normalized across multiple scan types. The risk rating, risk category, and descriptions are all normalized. The results are then aggregated and presented with various filters so the user can prioritize on fixing the most critical items first. Developers usually get overwhelmed when there is a very high number of issues reported. To mitigate that scenario, FortiDevSec intelligently correlates these results across multiple scan results and manipulates the risk ratings accordingly. This result aids in the noise reduction of the reported issues and makes the developer focus on fixing the most critical issues first.
