Application Security in a DevSecOps World
Over the years, application development has moved from a “waterfall mode” to an “agile mode”. The waterfall mode is a sequential approach where changes to the application are deployed perhaps once in many months, and the development team moved to the next phase of development or testing only if the previous step completed successfully. In the agile mode, however, development and testing activities are concurrent and helps continuous iteration of development and testing. Also the application changes are deployed very frequently to the cloud, sometimes even on a daily basis, and so the development, functional and application security (AppSec) testing teams have tighter collaboration and communication with faster turnaround times. This has led to the need to automate the workflow involved in building and deploying applications to the cloud, and subsequently to the rise of the DevOps role, where in continuous integration/continuous deployment (CI/CD) tools are used to enable this automation.
Application Security (AppSec) testing needs to be automated as well and made to work in this CI/CD paradigm and be incorporated in the earlier stages of the development cycle (commonly referred to as shift-left). This is where many AppSec testing products may fall short when they are not natively built to support the user experience of DevOps engineers and developers who typically don’t have much AppSec expertise and are unable to effectively use such products. Quite simply, they are not DevSecOps enabled. DevSecOps is short for development, security, and operations. It refers to automating the integration of security at every phase of the software development lifecycle, from initial design through integration, testing, deployment, and software delivery.
AppSec testing is also very fragmented. There are many types of AppSec scans that need to be done on an application to figure out all its vulnerabilities, and these are usually offered by separate products. A multi-product solution creates fragmentation and hinders DevSecOps enablement of AppSec.
What the industry needs is an innovative AppSec product that has DevSecOps in its DNA. It should be easy to use by DevOps engineers and developers without requiring any specialized security expertise. It should also be a comprehensive offering that covers all types of AppSec scans including SAST, DAST, SCA, Secrets.
Fortinet Adds Sken.ai to its Security Portfolio
To address the above growing challenge, Fortinet completed the acquisition of Sken.ai, a privately held startup headquartered in the Bay Area.
Sken.ai is a DevOps-first AppSec product, offering continuous AppSec Testing. DevOps personnel can use this product, even without AppSec expertise. Just by adding two lines of code, Sken.ai can seamlessly integrates with all major DevOps CI/CD platforms.
Sken.ai also offers comprehensive testing across all scan types (SAST, DAST, SCA, Secrets and more) for all major languages and frameworks. Sken.ai uses machine learning (ML) to correlate and assign security risk rating of each vulnerability discovered across disparate scan types and applications. For example, if similar vulnerabilities are found across different scan types, the risk rating of that issue is increased. The results are correlated across scan types in order to reduce false positives and improve noise reduction.
Sken.ai is easy to use because there is no need to setup or manage scanners. Sken.ai inspects the application, and depending on the languages/frameworks used and the stage of build / deploy process the application is currently at, it automatically discovers all the scanners that are relevant for this application. It then seamlessly downloads the most updated and stable docker image of those scanners to the customer’s CI/CD server. Once the scan is done, the scanners are destroyed and only the scan results are uploaded to the Sken.ai cloud. This way the customer always uses the most appropriate and the updated version of scanners at all times without any need to manage it.
In summary, Sken.ai provides unified orchestration, configuration, and a unified dashboard for all the customer’s AppSec scans.
Security in Pre and Post-Production Phases of Modern Application Development
Fortinet’s FortiWeb and Security Fabric, can secure and protect customers’ web applications that are live in production environments. With the acquisition of Sken.ai, and with the existing FortiPenTest product, Fortinet offers additional capabilities to scan for and help remediate application vulnerabilities during the application development process, thus forming a security fabric across the entire development and production phases of the application.
Sken.ai’s former Founder and CEO, Sundar Krish, has joined Fortinet as the General Manager of DevSecOps to accelerate the Fortinet vision of providing modern AppSec for DevOps.
Select Customer Quotes on DevOps
One DevOps Director at a large insurance firm quoted “We were using a few commercial application security scanners, but they were not covering the entire gamut of scanning such as static, dynamic and interactive, etc. Also, the integration of these various scanners in our CI/CD pipeline was all fragmented and led to a lot of unnecessary back and forth with DevOps and security teams. We have hundreds of applications, and we did not have the bandwidth to handle all that. We tried Sken.ai and we liked the fact that Sken.ai was able to give us a comprehensive view of security issues and thus fill all the gaps in our security. Sken is extremely easy for DevOps, just a one-time configuration does it all”.
An application security manager in a large infrastructure company mentioned “Sken.ai’s intelligent security risk rating mechanism across all types of scans helps us prioritize the issues that what we need to focus on. Due to Sken.ai, application security team’s relationship with the developers and the DevOps engineers have never been better! “
Find out how the Fortinet Security Fabric platform delivers broad, integrated, and automated protection across an organization’s entire digital attack surface to deliver consistent security across all networks, endpoints, and clouds.