With the ever-growing dependency on software in critical systems such as healthcare, finance, transportation, and defense, among many others, the need for robust security in software has never been greater. Breaches of security, in which an undetected vulnerability was often the culprit, lead to severe financial loss, loss of reputation, and even legal action for organizations and end-users. While technology has considerably improved, conventional security practices have repeatedly have failed to address the rapid growth of complexity and dynamic nature in modern software systems. The paper presents a critical requirement for an organized and active approach toward software security for its lifetime. We propose an automation framework driven by research that responds to these challenges by fitting into the tight cooperation of security testing tools in order to automate the detection and mitigation of vulnerabilities: it engenders a continuous improvement culture of security. This framework will be tailored to support Agile development and DevOps workflows, seamlessly embedding security in the rapid, iterative cycles of development. This framework will allow an organization to measure and improve quantitatively its security practices over time by harnessing actionable metrics and insight.
Read full abstract