Building accurate DAST into the CI/CD pipeline saves you time – and money

All too often, companies that get a new vulnerability scanner discover that it takes a full-time role to run and manage it – extra resources they might not be willing or able to spare. In practice, that overhead is the biggest difference between a simple scanner and a full-fledged solution for dynamic application security testing (DAST). With a mature DAST tool and the right vendor support, automation and integration can streamline the entire security testing process – as experienced by Invicti customers such as Park ‘N Fly.

Read our full case study with Park ‘N Fly to learn why customers call Invicti “auto magic.”

Automation unlocks resources for innovation

You could say any vulnerability scanner is an automatic tool because performing security checks automatically is the whole point of scanning. Yet in reality, the actual testing is only a small part of a wider security process. If the scanner leaves you with a few hundred test results that you then have to verify, triage, and manage manually, the “automatic” part isn’t doing you much good. Same if you have to manually set up and launch scans – the tests themselves might be automated, but somebody still has to do lots of work before and after each scan.

For security testing automation to be truly effective, you need to automate every single operation and step that doesn’t require human input. You also need to be sure you’re acting on reliable data so your automation doesn’t multiply errors and flood your teams with false positives. At Invicti, we focus obsessively on automating everything that can be automated so that after initial setup, the whole DAST solution can run more or less hands-off and only bother the humans when something actually needs doing. 

With automatically launched scans, automatic confirmations through proof-based scanning, and automatic tickets via workflow integrations, customers get the exact vulnerability data they need for immediate fixes, all without a single click wasted. Compared to the hundreds of hours a year otherwise spent on setting up scans, verifying scan results, assigning tickets, following up on fixes, and managing the tool itself, your teams can finally focus on business innovation and value-adding activities. For Invicti customers like Park ‘N Fly, who used to struggle with manual scanning processes, having security testing automation that works as advertised can be a real eye-opener.

I call Invicti “auto magic” in what I’m doing because it just saves time. It saves effort – even if I have a twenty-person team, a five-person team, or a fifty-person team, it doesn’t matter. You should always look at ways to optimize your team’s time so that they can focus on the things that are important. Logging in and doing manual arduous tasks is unimportant. Invicti solves that for us through automation.

– Ken Schirrmacher, CTO and Senior Director of IT, Park ‘N Fly, Inc.

Dip your toes into scanning, then dive into integrated DAST

The journey that Park ‘N Fly took was a common one for Invicti users and started with the requirement for a high-quality web vulnerability scanner. In this respect, Invicti certainly does not disappoint, delivering vulnerability reports with an accuracy that few other products can match. But if you only use it as a standalone scanner, you’re missing out on the cost and time benefits of automating all the other steps of the testing process.

Impressed with the quality of scan results and confident that the solution had been set up to test all the environments required, Park ‘N Fly explored workflow integration options, starting with out-of-the-box Jira integration. As users of Azure DevOps, they were delighted to learn that Invicti also readily fits into that workflow and gradually implemented deeper integration with their existing processes. With this came the realization that more work is getting done with less effort and less friction than before.

Make security testing a routine part of development

A common security bottleneck for many smaller dev teams is going from a vulnerability report to actual developer tasks in a ticket. While we often talk about the interactions and friction between the security team and developers, in reality you can get organizations with no dedicated security team or application security specialist. With more basic vulnerability scanners, this can lead to someone (often a project manager or developer) becoming the unofficial “scanner person” and suddenly finding they are googling for web vulnerability information to make sense of scan results and know what to tell developers in a ticket.

I would say Invicti saves probably a full-time role on our team just because we’ve had people that have manually done scans and then have to create the Jira items and then they have to assign it to the developers.

– Ken Schirrmacher, CTO and Senior Director of IT, Park ‘N Fly, Inc.

This is where it all comes together for Invicti and Park ‘N Fly, with accurate and fully automated DAST taking those dilemmas out of the equation and making security testing a routine and painless part of application development. Proof-based scanning delivers automatically confirmed vulnerability reports, complete with remediation guidance, while the Jira integration turns scan results into prioritized and actionable tickets. And once Invicti was also plugged into the Azure DevOps CI/CD pipeline, scans could be triggered automatically at specified stages of the process.

Automated DAST that simply does what it should

In a relatively short time, Park ‘N Fly went from manual scanning to an integrated DevSecOps workflow where Invicti’s DAST solution does all the heavy lifting and is only ever seen when it sends developers clear and actionable tickets. Now that’s automation.

Read our full Park ‘N Fly case study to learn why customers call Invicti “auto magic.”

The post Building accurate DAST into the CI/CD pipeline saves you time – and money appeared first on Invicti.

Post a Comment