By John Matthew Holt – Founder, Chief Technology Officer at Waratek,
The AppSec community is divided over automation. There’s the old school belief that programmers should manually fix all their vulnerabilities, while the new school believes automated solutions are not only viable, but needed.
This type of division is nothing new. We saw similar lines drawn in the mid-90’s over memory management bugs. Traditionalists believed programmers should be trained and given tools so that they could ultimately write memory-bug-free code. They likened an automated fixing of memory bugs in the runtime/compiler as “cheating’ that would make programmers lazy and write bad code.
Jump ahead to present day and the same argument is being made about application security. Hardliners believe that programmers are responsible for writing code with security in mind and that providing an automated solution will only lead to lazy programmers writing more bad code. They also believe that, given the right testing tools, there should be no reason for programmers to produce buggy code.
But this isn’t the mid-90’s and innovations in automation suggest a new path forward. There has been an influx of technologies that promise to strengthen application security posture; these are the notable WAFs, NGFWs, RASPS, etc. None of these actually fix the problem, but merely act as blockers. JIT-compiler-based solutions now fix vulnerabilities without relying on the playbook, but rather understanding what the developer had intended the product to do.
The Ponemon Institute and IBM revealed in a study last year that automated security can help significantly bring the cost of data breaches down by detecting and addressing breaches earlier on. Notably, the report reveals that organizations that have more automated tools as part of the software development lifecycle seem to have better outcomes when and if a breach happens. Companies that still rely on manual processes – security tools that require frequent tuning or manual CVE patching, for example – usually experience longer break fix times and therefore have greater impacts to their business operations.
It’s critical for organizations to deploy automated tools that address the leading cause of cyber attacks – known, but un-patched flaws in applications. Innovative new solutions fix known flaws and protect applications from known and Zero Day exploits with no source code changes and no application downtime. These solutions can be quickly deployed and adding new patches or security rules is a point and click exercise that only takes minutes – not the weeks, months, or years required to manually apply physical patches or near-constant tuning required to keep security rules up-to-date.
The bottom line: When the runtime/compiler automatically fixes the bugs “cheaper” than the programmer without making mistakes (false positives), then commercial reality prevails and the automatic solution wins over the manual alternative. Even if these compiler-based solutions merely harden the window of time that it takes dev teams to modify source code, an ounce of prevention will always be worth more than a pound of cure.
The case for security automation has been made.