Home Security Are you meeting SLA for your most critical security issues?

Are you meeting SLA for your most critical security issues?

Author

Date

Category

On May 24th, we did a webinar called Are you meeting SLA for your most critical security issues? In this webinar, Mike Khusid, VP of Product at Codacy, discussed how SLA tracking could help engineering managers prioritize work on security issues.

During this talk, he covered the following:

  • Why is identifying security issues just a first step, and what comes next?
  • How can SLA tracking help engineering managers prioritize work on security issues?
  • What does “shifting-left” security mean, and how can it benefit your organization?
  • Best practices to shift-left and how tooling can help.

In case you missed the webinar live, don’t worry: you can (re)watch the recording here or below 👇

A live talk on security issues and SLA 

You can check the detailed talk on our video recording – we even give you the specific time frames! But we’ve summarized the topics for you to read 🤓

Identifying security issues (00:02:10)

In today’s world, security is more important than ever. With the ever-increasing number of cyberattacks, businesses must protect their data, systems, and software. One way to do this is to implement a shift-left application security process.

Shift-left application security is an approach that integrates security into the software development process from the very beginning. As such, security is considered at every stage of the development process, from requirements gathering to testing and deployment.

The ideal shift-left development workflow
The ideal shift-left development workflow

In the ideal shift-left development work, the first step is to identify what is not yet covered, which includes:

  • Identify gaps in specific components
  • Document new component security strategies
  • Understand the infrastructure and how it could be breached
  • Understand new compliance and certification requirements of the software
  • Perform training sessions for developers
  • Review industry best practices (e.g., OWASP Top 10 and SANS Top 25)

We then run different tools to look for vulnerabilities. To do that, we need to:

  • Integrate automatic tools into developer pipelines
  • Run the tools early to get immediate feedback in the Pull Request before merging
  • Configure tooling requirements (e.g., quality gates)
  • Make sure all tools are properly set up
  • Fix the issues before merging the PR

Finally, we create reports. This is necessary for compliance, demonstrating to the company, auditors, and regulators that our tooling is safe.

However, in most cases, the shift-left development workflow doesn’t happen in an ideal way. We surveyed 85 Codacy users, mostly software developers and engineering managers, about their challenges with shift-left security. 

From our survey, we understand that 79% of engineers have experienced issues with code security or vulnerabilities in the past. Over half of them don’t have access to all critical issues in their organizations, but they perceive compliance with code security and vulnerability standards as a high priority. 

Plus, 65% say they cannot track SLAs for critical severity issues, and numerous organizations manually generate reports for compliance reasons, which has become cumbersome. The tools organizations are using seem to have all the information, but there is a gap in the process.

Results of a survey with replies from 85 Codacy users
Results of a survey with replies from 85 Codacy users

How can SLA tracking help? (00:10:49)

To improve the shift-left development workflow, we must consider two other steps. First, after identifying what is not yet covered and running different tools to look for vulnerabilities, we need to prioritize and define what to tackle first.

When prioritizing, we need to:

  • Consider vulnerabilities from multiple sources
  • Validate the false positives and dismiss false alerts
  • Recognize trade-offs to focus on the most critical issues
  • Understand how exposed we are to the most critical vulnerabilities
  • Understand which is the vulnerability that will “expire” first in terms of SLAs

Once we have the vulnerabilities prioritized, we then assign and fix them.

More realistic shift-left development workflow, with SLAs
More realistic shift-left development workflow, with SLAs

One important thing to notice in this more realistic shift-left development workflow is the SLA. An SLA gives us a buffer between prioritization and offers development teams time to fix the issues.

SLAs can be negotiated between the engineering, compliance, and security teams. These teams need to define what it takes to fix issues, how long we can wait for those issues to be fixed, and which are the fulfillment of those SLAs. Then, we can make sure we’re doing a good job prioritizing and addressing issues on time.

Shift-left best practices (00:19:52)

Two big parts are related to shift-left best practices: one is about what we do within the Git workflow, and the other is about outside the Git workflow.

Within the Git workflow, we should focus on the following:

  • Automating tools and multiple types of analysis
  • Setting up a security policy
  • Creating Pull Request checks
  • Being aware of industry standards (e.g., OWASP Top 10) 
  • Automating and making it easier to generate compliance reports
  • Considering AI to accelerate fixing issues

Outside of the Git workflow, we should focus on the following:

  • Having a complete aggregate view
  • Having the ability and flexibility to handle complex situations
  • Relentlessly prioritizing based on severity, exploitability, and time
  • Making sure the team can communicate and use the SLAs
  • Providing training for developers
  • Having security champions

What tools to use (00:22:54)

Based on the survey of our customers, one of the valuable things we can offer in our Codacy Quality product is an aggregate dashboard.

We’ve built a beta version of a Security and Risk Management dashboard! This dashboard aggregates issues, giving you an overview of all vulnerabilities found by different tools. You can access SLA compliance and whether the vulnerabilities are past, due, or approaching their SLA deadlines. All in a single dashboard so that you can see and address issues promptly.

The Security and Risk Management dashboard is now in a private beta, but it will become available to a wider audience soon. Interested? Send us an email!

New Security & Risk Management Dashboard
New Security & Risk Management Dashboard

Q&A time

After the talk, we opened the floor to all the questions the audience might have. We’ve listed them for you:

  • Can we change the priority of the issues? (00:24:37)
  • What kind of issues does this dashboard find? (00:25:58)
  • How do you prioritize when everything seems like a priority? (00:27:17)
  • Do you have any tips for training developers? (00:28:38)
  • Should everyone have SLAs, or do you see any scenario where it’s not needed? (00:30:31)
  • Cyber security is a hard topic, and you have to select skilled people. How to understand if they are skilled enough? (00:31:10)

Thank you to everyone who joined live and those who watched the recording later on!

LEAVE A REPLY

Please enter your comment!
Please enter your name here

Subscribe to our newsletter

To be updated with all the latest news, offers and special announcements.

Recent posts

21 AI Tools for Developers in 2023

A 2023 survey by Alteryx shows that 31% of companies using tools powered by artificial intelligence (AI) are using them to generate code. When asking...

Codacy Pioneers: A Fellowship Program for Open-Source Creators

Here at Codacy, we recognize the importance of the open-source software (OSS) community and are dedicated to nurturing and supporting it in any way...

AI-Assisted Coding: 7 Pros and Cons to Consider

According to a recent GitHub survey, 92% of developers polled said they are already actively using coding assistants powered by artificial intelligence (AI). AI-assisted...

Now Available. Centralized view of security issues & risk within Codacy

Codacy is empowering engineering teams to bring their security auditing process to the surface. Today we're giving all Codacy...