DevSecOps Emerging

Application security testing has been part of functional testing for many years without being a significant investment topic. Organizations have typically favored functional testing automation while moving to agile/continuous testing; they have considered application security testing as an afterthought.

With the increased emphasis on cybersecurity, application security has become part of DevOps to create DevSecOps. DevSecOps promotes the democratization of application security testing. It also brings a shift-left focus, conducting application security at the development level rather than after functional testing.

Application security as part of DevOps and continuous testing requires automation. And this is where the challenge lies. Application security testing currently requires as much human expertise as software tool usage. Most testing services providers and their clients limit themselves to running scan tools such as source composition analysis (SCA) software and vulnerability detection software such as static and dynamic application security testing (SAST and DAST) tools.

However, running vulnerability detection software is not enough: these tools require going through the output and separating defects from false positives. Processing the tool output is time-consuming, tedious, and requires high application security expertise. Expect this analysis to slow down the continuous testing process.

Expleo Uses AI to Accelerate Vulnerability Analysis…

We recently talked to Expleo to understand how it is conducting and promoting application security testing within the context of continuous testing. The company is pushing application security test automation, and it has its own Xesa and Intelligent Vulnerability Assessment and Penetration Testing (iVAPT) IPs supporting this effort.

With Xesa, Expleo has pre-integrated several tools for integrating SAST and DAST (Portswigger BurpSuite) as part of continuous testing. Xesa also includes open-source ZAP Proxy for tool orchestration, and Defect Dojo (security defect management).

However, Expleo’s value-add relies on its automated defect analysis. iVAPT uses AI models to categorize defects by nature and severity, helping security experts shorten their analysis time. It uses ANN to process vulnerabilities based on past defect history. Manual testers will then verify the false positives allocation. This is the first test in the application security automation journey.

…And its On-Demand Digital Model for Shortening Provisioning and Delivery

Expleo has deployed its on-demand digital model and offering for application security to complement its automated vulnerability capabilities, still aiming to shorten time-to-market. The company relies on a shared delivery model and its X-Platform.

The company promotes a shared delivery center model for quickly ramping up its application security experts. Experts provide security across the application lifecycle, from the requirement level (e.g., security requirement reviews), to the design phase (threat modeling and design review), development and testing (SCA), and production (DAST and pen-testing).

The company highlights that it can mobilize experts through its shared service centers within 48 hours. Expleo has ~200 application security testers globally across multiple locations: in India, France, Ireland, the U.K., Germany, and soon Egypt and Romania. Expleo relies on its preferred tools, mostly open-source software, to provide the service and shorten delivery time.

Expleo recently launched its X-Platform. On the X-Platform, clients define their requirements, order their services, and follow the project’s progress and KPIs. X -Platform goes beyond service selection and includes project technology support, monitoring and analytics/reporting.

AI Will Play a Significant Role in DevSecOps

This is not the first time we have seen QA offerings that combine shared delivery, reliance on a service catalog to promote standard services, and a portal. Despite their value proposition, such offerings have had niche success.

In our view, such offerings have the potential for short-term activities such as threat modeling, pen-testing, and design review that regularly require services for up to three weeks. In these instances, the business case for clients to have a dedicated team can be difficult.

We see Expleo addressing the need for speed in continuous testing/DevSecOps from several angles. This is excellent news. AI, in particular, has the potential to bring many use cases. We think false positive identification is the first step in an AI journey to create intelligence out of vulnerability scanning.