6 Reasons More Automation Means More Secure Software: The New Stack

6 Reasons More Automation Means More Secure Software: The New Stack

In an era where applications are partitioned into microservices and networks are distributed across regions and clouds, software is being produced faster than ever, in smaller and smaller components.

The increasing complexity, and ever-increasing security threats to the software supply chain, are often too much for mere human engineers to handle.

The only way to keep up? With automation.

Automation can “develop the speed and speed at which organizations can bring solutions to market.” Arnal Dayaratna, an analyst who leads software developer research at International Data Corporation (IDC), told The New Stack. “The biggest problem we have is how long it takes to get the code out.”

But it can also improve your teams’ and organization’s confidence in the software you produce, and make changes less likely to break your code, according to an unpublished report completed in September by Sonatype and The New Stack.

The report, which surveyed 679 IT technologists and managers across industries, found that the more software deployment and testing is automated, and the more it is deployed, the more confidence organizations express in it.

The report found that organizations that fully automate application deployment are 24% more likely to have dependency updates that don’t break functionality, compared to all respondents.

Keep up with rapidly changing code

Today, 62% of companies use more than one cloud provider, according to a 2021 Cloud Security Alliance report. And the use of various production platforms, such as containers and virtual machines, continues to increase.

With the move to cross-functional DevOps teams and practices, applications are also being updated faster than ever.

According to research published by Sonatype last fall, 57% of software development teams deploy at least once a week, and 20% deploy multiple times a day, or with every change.

The average organization, according to Sonatype “State of the Software Supply Chain 2021” Report, performs 6,200 component migrations per year. When a developer updates a dependency, they have, on average, 21 versions to choose from.

Adding to the security challenge is the fact that developers don’t write all their code from scratch.

Almost all code bases contained some open source code. For example, 97% of a typical Java application is made up of open source code, according to a survey published in February by Veracode, a software security testing company. The report further revealed:

  • Seventy-seven percent of known bugs in third-party libraries remained unfixed three months after discovery.
  • The most common type of vulnerability, CRLF injection, was found in 65% of applications. The second most common type of vulnerability, affecting 61% of applications, is “information leakage,” which could lead to potential legal liability for businesses.

Checking all of these components for known vulnerabilities and license issues is an impossible task if done manually.

And then there is the possibility of vulnerabilities in newly written code, which must be tested for flaws before it can be published.

It’s hard to keep up without automation, both in building and testing software, Venky ChennapragadaDevOps architect from the consulting group Capgemini Americas, told The New Stack.

“This automation makes it possible for companies to build hundreds of artifacts daily for their applications and microservices,” he said.

The benefits of automation

Automation requires a real investment of time and effort to get right, something that can be hard to justify if it’s important to get something out quickly, Matt Keeler, senior DevOps engineer at security consultancy Bishop Fox, told The New Stack.

But, over time, it leads to a faster release cycle, improved security, and a more stable platform, he added.

At Bishop Fox, he said, “we use automation not only for continuous integration and continuous development, but also for document generation, deploying our infrastructure, scaling our platform up and down based on load, and even patch management.”

Here are six benefits of automation in the software lifecycle:

1. Automation standardizes security testing.

Automation is one of the critical capabilities for application security testing, according to a 2020 Gartner report.

“The application security testing market has entered a period of rapid evolution and change,” he said. brand horvathGartner analyst, in the report.

Automation can allow companies to perform software security testing not only efficiently and at scale, but also in a standardized way, he said. Sanjay Srivastavadigital director of the professional services company Genpact.

“If you leave it up to the individual, everyone does it a little bit differently,” he told The New Stack.

2. Automation frees up developers to focus on innovation.

Automation not only gives developers greater confidence in components and systems, and makes developers more productive, but it also makes it more enjoyable, Keeler said.

“Automation allows us to offload important but repetitive work to one machine, freeing us up to focus our creative efforts elsewhere,” he said.

3. Automation improves DevOps practices.

“Automation is critical,” said IDC’s Dayaratna. “And it’s also critical to reducing friction between handoffs in the development lifecycle, particularly in the context of development done by distributed teams.”

When companies switch to DevOps, implementations speed up, he said. “Automation is part of DevOps. It is fundamental to DevOps practices.”

Many DevOps tools already have automation built in, Dayaratna said. “The next phase of development is to deepen the integration of artificial intelligence and machine learning into DevOps processes and practices.

“That’s going to be an exciting new phase of software development automation, which isn’t to say it’s not already happening.”

4. AI can improve development and testing.

Artificial intelligence (AI) has a role to play in testing and monitoring, for example, because it is so difficult to specify parameters for current applications.

For example, a company may need to set different thresholds during peak periods, such as the Black Friday holiday shopping spree, or for certain types of users. As applications and different use cases multiply, it becomes very difficult to keep up manually.

Automation can help companies address licensing and security issues in software development, Dayaratna said.

A large organization may be running hundreds of different tests against its applications, at all points in the software lifecycle, he said. “Many of those tests will fail and will need to be repeated.”

Most automation today is done within predefined parameters, using programmed steps and decision trees to replace time-consuming routine actions. This allows companies to do what they are currently doing, Srivastava said, but “better, faster and more efficiently.”

By adding AI to the process, companies bring new value to the table, he said, and not just by accelerating software development and delivery: “You’re going to fundamentally change what’s going to be produced.”

5. AI automation makes it easy to ‘shift left’.

Software developers are the best group of users within the company to understand the benefits of intelligent automation and make the best possible use of it, Genpact’s Srivastava added.

“They are the best barometer of where the world is going,” he said.

For example, intelligent automation can be introduced early in the software writing process, to dramatically improve the quality and security of code as it is written, while also accelerating development.

“It makes you able to do things that you couldn’t do before,” he said. “It puts you into entirely new business models.”

By 2025, 75% of all apps will include auto-generated code, according to an IDC report).

“This is due to the conjunction of increased adoption of low-code and no-code development tools,” he said. Dayaratna.

6. Automation saves companies money.

“Intelligent automation that standardizes engineering teams on exemplary open source projects could eliminate 1.6 [million] hours and $240 million of real-world waste spread across our sample of 100,000 production applications,” reads Sonatype’s “State of the Software Supply Chain” report.

Extrapolated to the entire software industry, the report found, the savings could run into the billions, with intelligent automation saving companies an average of $192,000 a year.

And it’s not too late to start, Dayaratna said. “There are still opportunities for technology vendors to improve on integrating intelligence into software development.”

Featured image by Eric Krull on Unsplash.

Leave a Comment