SKILup Day DevSecOps: Exploring the impact of IaC, SAST
The Impact of SAST on DevOps
Over the years, I’ve seen many organizations struggle in their DevSecOps initiatives. While there are always many challenges to overcome, a very common problem is that the obvious first step is much more complex than most realize. SAST tools are almost ubiquitously present in professional settings, and seen as a way to identify security problems early in the development process. And SAST is great – it finds real problems, often well before code is anywhere close to release.
The problem lies in the effort required to deal with the findings. In DevOps workflows, anything that requires investigation is disruptive to flow. The most useful security findings will say something like “you need to do a, b, c to solve this problem” – both identifying a problem that must be fixed and presenting a solution. But SAST tool findings are closer to “somebody should look into this and figure out what to do”.
Worse, many of those findings end up requiring NO action from developers. In other words, typical SAST findings are more disruptive than useful in DevOps workflows even though it may be easy to run SAST in pipelines. Each finding creates unplanned work which must be completed before the security problem can be addressed (and the remediation effort is more unplanned work).
The Impact of IaC on DevSecOps
My talk goes into some ways that infrastructure as code (IaC) can be used to understand the context of security findings that were found by IaC scanners, SAST, SCA, or other tools. The end result is a sophisticated understanding of the risk that each finding represents, which enables programmatic filtering and prioritization and minimizes the unnecessary work that security tools inject into DevOps workflows. We’re already seeing promising results from our GitLab integration, which currently works with IaC and SAST findings, and we’re excited to continue improving that contextualization work.
I encourage you to watch the whole talk to better understand the importance of context and how “security as code” approaches are ushering in a new generation of security tools that satisfy security and compliance concerns and truly fit into DevOps workflows. These tools won’t single-handedly solve the DevSecOps puzzle, but we believe they will help improve the communication challenges that underlie many of the thorny cultural problems.
That said, the best part of the event was the community. I enjoyed spending time with peers and partners to better understand the challenges faced by real world DevOps teams and how we are collectively tackling them. I look forward to participating in future SKILup Days, and I hope to see you there! In the meantime, feel free to continue the conversation in our Accurics Community Discord.