Vulnerability Correlation in an Agile Pipeline

Team we45
June 28, 2018
Vulnerability Correlation in an Agile Pipeline


There is a significant increase in companies taking up application testing as part of their agile process. As applications become more complex, with more add-ons and bug fixtures, application testing has become akin to risk mitigation as opposed to spending time and effort in securing the entire application.

The time consumed throughout the SDLC process plays a major role in this strategy, with manual labor being the biggest factor. Hence, to reduce manual labor, companies are embracing integration of security automation into their CI/CD pipeline. Justifiably so, automation helps reduce the manual labor, increases security of applications, and aids in faster release cycles. In other words, companies understand the value of integrating security as part of their DevOps pipeline.

Another factor driving the adoption of security automation is the maturity and availability of a variety of security tools (both licensed and open source). There are different tools for each stage of an application’s development cycle, which includes SAST tools (white box testing), DAST tools (dynamic testing), IAST tools (interactive testing), and RASP (Runtime Application Security Protection). Each of these tools has their own strengths and weakness. Therefore, companies implementing DevSecOps most likely have multiple tools integrated into their pipeline to get a comprehensive coverage.

Enhancing application security, increasing efficiency, and reducing manual labor through automation is all great. But, it comes with a certain headache. It raises the question of “how do companies deal with the different results yielded from these wide range of testing tools?” This probably hits home for a lot of developers out there that had late nights dealing with multiple reports, trying to make sense of it all. Below are some of the key factors leading to a conundrum with respect to automated security testing results.

Key Factors

A Possible Solution

An Application Vulnerability Correlation (AVC) tool would present a possible solution to the issues mentioned above. This correlation tool should have the following features:

[caption id="attachment_6636" align="aligncenter" width="800"]

OWASP ZAP automation course CTA banner[/caption]

we45's Orchestron, as a correlation engine, has the necessary features that can address your correlation needs and fit perfectly in your CI/CD pipeline. It can correlate and consolidate multiple results in your pipeline, and provide you with a comprehensive report, along with advisory on best remediation practices. The correlated vulnerabilities are automatically logged into bug tracking tools like JIRA and Github. The delivered report will also include the CWE ID, CVSS scores, and the DREAD scores, which your engineering team can use to prioritise and fix bugs as necessary. In addition, Orchestron has a webhook feature that enables you to easily integrate with different testing tools written in different languages.

The headaches induced by dealing with multiple reports in a CI/CD pipeline can be reduced dramatically by a correlation tool. By not using a correlation tool, you are doing yourself a disservice, even if you’re automating security into your pipeline. It not only reduces manual labour, it also increases visibility of vulnerabilities, and enables faster closure of security issues throughout your secure SDLC.

If you're wondering where to start with your search for an AVC, you can find Orchestron's community edition repository here.