DevSecOps automation is at its most effective when humans lend a hand, according to cloud and enterprise security architect and research scientist Professor Gamini Bulumulle.
Speaking at the bustling (ISC)² Security Congress in Orlando, Florida, on Tuesday, Bulumulle said that while automation can tackle tedious tasks and deliver fast results, the errors it can still produce make it not completely reliable.
Automated security scans designed to detect vulnerabilities and misconfigurations can miss weaknesses. They can also deliver incorrect results and leave no clues as to how or why they have done so.
"Automation is great because it's fast, but do we have the right tools? Some of the tools I have seen give false negatives and false positives," said Bulumulle.
"With automated scanning there is no tool to go back and find out why you are getting false positives. When that happens, we have to have manual intervention to go back and figure it all out."
Bulumulle added that automated security controls aren't always fully automated, but rather can be semi-automated or require manual intervention.
Giving an example of an automated process that still requires manual intervention, Bulumulle said: "Say you want to install IPS behind your firewall to capture your data; once you install it you might have to reboot your file."
For Bulumulle, any security solutions that offer a quick fix at a low price are as real as horse feathers.
"Security is expensive, and it's time-consuming," said the professor.
According to Bulumulle, keeping an eye on the security incidents and events that are happening is hugely important to ensure security, but it's only worth doing if the data being gathered is put to good use.
"Constant monitoring is really important. The event logins data is the most underused resource in your organization. Someone has to go back and investigate."
Bulumulle said that DevSecOps LifeCycle automation is necessary for rapid software development but there is no silver bullet. He advocated some automation with the addition of two layers of manual verification.
"Peer review is really important. I'm a lazy proofreader so I always get someone to read my work."