In 1927, the U.S. Army Chief of Staff, Major-General Charles P. Summerall, delivered an address in which he discussed the human element of battle. At the start of his speech, he said that although the machines and weapons of war evolve, it is still humans who drive victory with their own unique skills and experiences:
It is trite to say that the human element remains, as it has ever been, the determining factor in battle. Machines and arms may be multiplied and changed, but the man who uses them will determine the final issues of victory or defeat.
Nearly 100 years later, cyberwar has become a new theater of global conflict, and Major-General Summerall’s words still ring true. Just as with physical warfare, the human element in cybersecurity can make all the difference between opening the door for an attack on critical infrastructure and keeping sensitive systems safe.
Digging in on web application security
Leveraging technology to enhance human skills is especially important in application security (AppSec), as internet-facing web apps were the number one attack vector in 2021. With over 10,000 websites created every hour, that presents a lot of excess attack surface for DevSecOps teams to cover – definitely more than manual testing alone could cope with. As we move toward security solutions that help us close critical coverage gaps, there’s no denying that automation with static and dynamic application security solutions (SAST and DAST tools) is a must to fortify the processes and workflows behind air-tight cybersecurity.
Machines and humans need to work together, just as Major-General Summerall stressed. Even if it works at peak efficiency (and that’s a big if), technology simply cannot replace experts in DevSecOps teams when it comes to making vital decisions and taking action. You need people with the know-how and necessary skills to make calls about serious vulnerabilities, breach attempts, and potential exploits. With critical infrastructures on the line, organizations and entire nations alike can no longer afford to neglect the pressing need to marry automated technology with human experience.
Humans and automation work hand-in-hand
For all the industry hype (especially anything with AI in the name), automation in security isn’t about replacing humans entirely; it’s there to make testing and detection easier and faster at the most critical decision points. Think of security like running a sports team. It requires a strategy that includes key plays, the right positions, the best equipment and uniforms – but, most of all, talented players to execute it all in a way that translates into a win on game night.
Application security that integrates automated features is no different. With the right strategy, people, processes, and tools, you can stay ready for the bad guys by playing expert defense and offense, with automation subbing in at critical points. Automation is no longer a nice-to-have but an essential part of your overall security mix, speeding up and scaling security testing to the level of modern development. Done right, the accuracy of automated security testing can take a lot of manual tasks and guesswork out of cybersecurity. That allows the human beings on your team to focus on challenges that really need their expertise and intuition without forever double-checking the machines.
DevSecOps teamwork can make a big difference
Let’s be real: human beings make mistakes. Data from the Egress Insider Data Breach Survey 2021 showed that human error is the leading cause of insider data breaches, with a hefty 84% of organizations touting human mistake as the reason they experienced a security incident. Improved communication and capable tools can help close gaps in security and development more effectively, culling some of those errors.
Relationships between development and security can be tricky to manage when communication isn’t clear, putting workflows in jeopardy. Data from an Invicti survey conducted with Wakefield Research – which included 500 DevSecOps respondents – found that just half (49%) of security and development professionals consider themselves to be “besties” with their counterparts. When these two critical teams break down communication barriers and figure out how to work together to shift security left and right in the development process, they can unlock the power to eliminate and prevent gaps that might otherwise lead to serious breaches.
DAST tools with fewer false alarms help humans prove ROI
In our most recent AppSec Indicator, the data told a pretty common tale in tech: 100% of DevSecOps professionals track ROI for their AppSec tools, and 68% are under great pressure to demonstrate that ROI clearly. This is where the collaboration between humans and accurate automation can really shine, with tools like Invicti’s DAST solutions delivering reliable data to demonstrate measurable security improvements.
Time-draining and workflow-breaking false positives are squashed with features like Proof-Based Scanning, which delivers 99.98% accuracy on confirmed scan results for 94% of direct-impact vulnerabilities. Automatically confirmed vulnerability reports sent directly to your developers via an issue tracker integration can save hundreds of hours each month when compared to manual or less mature processes. This translates into demonstrable ROI to validate investment decisions, support budgeting, and ultimately allow your teams to keep improving their security game.
Threat actors rely on human abilities – and so should you
Cybersecurity doesn’t have permanent fixes or one-size-fits-all solutions. In the cyber arms race, the bad guys are always looking for new weapons, new methods, and new ways in. They’re resilient, so we have to be, too. Once you have the ability to prevent errors and make natural human qualities work for you, not against you, security becomes easier to embed throughout your entire organization. Here are some practical tips for nurturing the human element of your AppSec strategy:
- Make sure the right people have the right access to development and testing systems, including SAST and DAST tools, regularly reviewing access levels and revoking access when necessary.
- Properly train employees on security best practices, from secure coding guidelines for developers to company-wide education on resisting social engineering attacks that can lead to big breaches.
- Set up a security champions program and elevate your most dedicated, security-minded employees as security advocates and watchdogs.
- Invest more budget in automated cybersecurity and keep up with the modern tools and features necessary that help your employees work more efficiently.
Streamlining vulnerability detection, prioritization, and remediation is one way to help the humans on your team work smarter, not harder.
Dig deeper into how Invicti’s accuracy and automation-backed scanning solutions save time and money by reading our technical guide on Proof-Based Scanning.