Intelligent orchestration: Software security at the speed of development
To the average person, “intelligent orchestration” might sound like what a conductor does to make sure the clarinets don’t stomp all over the violin solo at the New York Philharmonic. If music is going to sound good, have meaning, and generate an emotional response, all the instruments have to work together in harmony. The musicians have to play the right notes at the right time.
That applies to more than music. It’s also true in software development, even if the emotional response doesn’t come until an app is completed and in the hands of a user who is dazzled by what it does.
And the digital version of intelligent orchestration is what it takes to balance the insatiable demand to develop software products faster with the equally important need for those products to be secure. If they aren’t secure, the emotional response is likely to be frustration and anger when the users of those products become low-hanging fruit for hackers.
The goals of criminal hackers are familiar by now. For individual victims, they’re looking to steal identity, make fraudulent purchases with stolen credit cards, and loot bank accounts. If a company is the target, they’re looking to steal intellectual property, expose the personal and financial data of customers, and plunder the company’s finances.
And, as recent headlines have illustrated, an epidemic of attacks are aimed at collecting millions in ransom payments from organizations that operate critical infrastructure, from fuel to food supply to transportation.
For the makers of products with weak security, the results are also familiar and painful: Brand damage, possible litigation, loss of market share, compliance sanctions, and more. Enough to devastate any organization that is already struggling.
And while hackers do take advantage of stolen passwords and clueless employees can fall for phishing attacks and click on malicious links, the majority of successful hacks are enabled by unpatched, insecure software. Which means it wasn’t secure to begin with, most likely because developers were under pressure to rush a product into production and couldn’t manage a flood of notifications from security tools that were slowing them down.
Testing for Goldilocks
Hence the need for intelligent orchestration. Done right, it can help solve that dilemma. Developers don’t have to sacrifice speed for security because the testing of software is, as Goldilocks might put it, just right.
Intelligent orchestration is an automated way of calling for the right tests, with the right tools, at the right time, and only flagging critical vulnerabilities instead of overwhelming developers with so many irrelevant or trivial security notifications that they start treating them as unwelcome background “noise” and simply ignoring them.
Intelligent orchestration is not a new concept — elements of it have been around for decades. But a much more comprehensive form of it is now becoming mainstream.
The Synopsys Software Integrity Group launched a product version of it at the RSA Conference last month. (Disclosure: I write for Synopsys).
It sounds like a software developer’s dream. And the way it works aligns with one of the secondary definitions of orchestration in the Oxford Languages dictionary: “The planning or coordination of the elements of a situation to produce a desired effect, especially surreptitiously.”
In this case, the surreptitious part is selective and welcome, which is what makes it so attractive to developers — it doesn’t bother you unless it’s absolutely necessary.
So how does it know when to bother you and when to leave you alone? Meera Rao is glad you asked. Rao, senior director of product management in the Synopsys Software Integrity Group, is leading the development of the Intelligent Orchestration solution at the company.
She describes it as a “heart and brain” that knows what to test, when to test and what tool to use because the users — the developer, the team, the organization — can program it the way they want. It’s not that different from your doctor’s office sending you a text or email reminding you of an appointment or letting you know about a blood test result — and leaving you alone the rest of the time.
In the world of software development, the build/assembly process is called a pipeline, which is a set of automated processes used by developers to compile, build and deploy their code to the production environment.
Parallel pipelines
Intelligent Orchestration is a pipeline as well, which runs in parallel to the build and release pipeline. It can be programmed to determine and initiate the most appropriate security tests, including static, dynamic, and interactive application security testing along with software composition analysis, which finds open source components in a developing codebase, along with any known vulnerabilities in those components.
“Within the Intelligent Orchestration pipeline you can configure the rules for the type of application you have, the technology, and the framework to make sure you are performing the right analysis,” Rao said.
“A simple example I use is: You made some changes in the JavaScript file for a font. Do I need to run all the activities — static analysis, dynamic analysis, and software composition analysis? A big No!”
“But if you make a major change to an encryption API (application programming interface) or to your authentication and authorization API, then you need to run static analysis and perform a manual code review to see if the changes were implemented properly,” she said.
In short, Intelligent Orchestration can be configured to do only what you want it to do, which is known as “policy as code.” It can be programmed to look at the code change significance, the risk profile of the application, and the policies to be considered and then “know” if a development team can skip certain security activities and push through to production.
That, Rao said, can eliminate the complaint she has heard so often from software developers: “My pipeline itself takes 10 minutes, but if I integrate security tools then it takes 40 minutes or more.”
Of course, any software developer knows it can get more complicated than that. Many larger organizations have hundreds or even thousands of projects in development, ranging from applications or services that are internal and never meant to be public-facing, to those that are designed for potentially millions of users on the internet.
It seems unlikely that all of them would use just one configuration of an Intelligent Orchestration pipeline. Does that mean spending the time, and money, to create thousands of separate, specific configurations?
Not exactly. “The key here is to look at different languages and technologies that an organization uses. We build one pipeline, and then you can iterate from that pipeline,” Rao said. “For example, if you have Java and Maven and there is one pipeline built for that technology, then if you have 10 applications that use those languages, you can inherit from that pipeline.
Bottom line: The reality is that developers aren’t going to slow down to accommodate security tools. Security tools have to speed up. “Software developers must move fast — they check in their code changes every day, even hourly,” Rao said. “Shipping fast is the new normal, whether we in the software security industry like it or not.”
Or, as a Fortune 500 financial services client of Synopsys put it, “the tests you don’t run can be equally as important as the tests you do run.”
That is what Intelligent Orchestration knows how to do — because you told it in advance.
