Consolidation can keep too many ‘cooks’ from spoiling your software security stew
Diversity is generally viewed as a good thing, for good reasons. Everything from monoculture to monochromatic, monopoly, and monolithic can range from boring (as in monotonous) to unhealthy to dangerous.
But diversity simply for diversity’s sake? Perhaps not such a good thing. And that is becoming the prevailing view on what is the most effective and efficient way to build and maintain secure software.
One of the latest industry trends, documented by analyst firm Gartner in its “Top Trends in Cybersecurity 2022” report, is that 75% of security and risk management leaders — up from 29% two years earlier — are looking to decrease the diversity of the vendors they use to provide software security tools and services. Gartner predicted that within the next two years, organizations will reduce the number of vendors securing the life cycle of cloud-native applications to a maximum of three.
The reasons? “The need to reduce complexity, leverage commonalities, reduce administration overhead, and provide more effective security,” according to Gartner. Or, more briefly: Make it simpler, better, and cheaper. What’s not to like about that, especially in a weakened economy still under threat of recession?
Indeed, diversity haphazardly done can lead to chaos. Security experts have warned for years about the risks of “tool sprawl” after multiple surveys found that organizations on average were running 25 to 49 security tools from as many as 10 different vendors, with many of those tools doing the same thing.
That’s not only duplicative overkill, too many tools can generate so many alerts that they overwhelm development teams. The alerts become background noise and are ignored — the exact opposite of the intent. Instead of improving security they undermine it. That kind of redundancy makes you weaker, not stronger.
Sprawling problems
And now similar thinking is being applied to what could be called “vendor sprawl.” Or as the more common cliché puts it, the “too many cooks” syndrome.
The reality is that the systems, interfaces, and tools of different vendors don’t always play nice together, so to speak, even if some of those tools are considered best of breed. Incompatibility problems can include blind spots in monitoring and alerting, response delays, and communication failures.
As a post in Dark Reading from several years ago noted, “Hackers often exploit vulnerabilities in tools that do not communicate securely or are not regularly updated.”
To mitigate that risk, organizations frequently must hire and train staff to manage the multiple incompatibilities among their tools. And the Gartner report noted that most organizations can’t afford this kind of complex management: “The technical security staff necessary to effectively integrate a best-of-breed portfolio of security products is simply not available to most organizations.”
It’s also a waste of money, even though the consolidation trend is not primarily about cutting costs. Gartner reported that 65% of survey respondents said their most important goals were to reduce complexity and decrease security risks. Only 29% expected to cut spending.
This, according to Gartner VP Analyst John Watts, is as it should be. “Cost optimization should not be the primary driver for vendor consolidation,” he said.
Indeed, whatever the driver, the priority should be better security. So while, as noted, there are obvious benefits to vendor consolidation, there are risks as well. One of the most significant is that, in most cases, an organization will have to live with its choice of vendor for several years through a long-term contract. Obviously a poor choice could mean a long-term headache. So the choice needs to be made very carefully.
Which leads to the main question: How should organizations vet a potential security vendor? Most experts agree that due diligence should include at least the following.
Portfolio is primary. If you’re going to use the products and services of a single vendor, it’s crucial that they meet all your multiple security needs. It’s not enough for just one of the so-called “essential three” automated software testing tools, such as static application security testing (SAST), to be among the best available if the other two — software composition analysis (SCA) and dynamic application security testing (DAST) — are more like add-ons, amounting to fries with your burger. Another image is that of a planet (SAST as a specialty) with minor moons (SCA and DAST) thrown in. Add-ons aren’t good enough if they amount to a side dish or a planetary moon.
Without best-of-breed tools and services, you’ll have weak links in your security testing chain, which means your whole chain is weak. That’s toxic in a software development life cycle where doing the right test at the right time is the only way to ensure that security gets built in to software at what has become the hyperdrive speed of development.
It’s also important to ask if your vendor of choice can offer first-class solutions in capabilities like interactive application security testing and fuzz testing to probe code for vulnerabilities before an application goes into production.
Finally, you need a vendor with solutions that cover whether an organization consumes its testing on premises or in the cloud. Keep in mind that software risk is business risk at all levels, given that software is embedded into everything from your internal operations to your online presence and, in many cases, your products.
Demand an open platform. Consolidation isn’t going to be an overnight event where you turn off six switches and leave one on. Gartner’s Watts noted that “security and IT leaders should plan at least two years for consolidation as it takes time to effectively consolidate and consider incumbent vendor switching costs. It’s also important to anticipate vendor M&A disruption as the security market is always consolidating but never consolidated.”
Beyond that, as Jim Ivers, vice president of marketing with the Synopsys Software Integrity Group, puts it, vendor consolidation is “the equivalent of changing the tires on a moving vehicle.”
To do the software security version of this type of switch requires a platform that will enable you to keep things running with your existing security testing tools — proprietary, third party, open source solutions, or manual processes (e.g., threat modeling, penetration testing) — to simplify the transition. Without it, there will be testing gaps — exactly what you don’t want.
Verify stability and longevity. As noted, consolidation means a chosen vendor is going to be a partner for a while. This is not the time to commit to a startup that may look promising but is just as likely to crash and burn over the next five years as it is to soar to success. You want an established player with financial stability. It’s also crucial that it has a history of evolving its portfolio to keep pace with rapidly evolving development techniques and threats.
In short, consolidation can be good or bad for you, depending on how you do it. To stay on the good side, take the time to choose a partner that will help you build trust in your software for the long term.
