At Torq, we’re all about pushing boundaries and driving innovation. But we can’t afford to treat security as an afterthought in our relentless pursuit of speed and creativity. As a lean and agile team, we’re constantly challenged to stay ahead of emerging threats without slowing down our momentum. In this blog, I’ll take you behind the curtain to reveal how we’ve engineered an automated application security pipeline that helps us maintain security and fuels our rapid innovation.
The Challenge
At Torq, our software engineering teams manage various components and microservices, each with unique functionalities requiring meticulous threat modeling and vulnerability assessments. Modern software engineering integrates open-source and proprietary libraries, which introduces potential security vulnerabilities in individual and shared components across teams. The primary challenge is ensuring these vulnerabilities are continuously identified and mitigated before they compromise the production environment. Simultaneously, it’s crucial to maintain an environment where teams can continue to innovate and deliver high-quality software without being hindered by security concerns. In short, how do we ensure that potential application security vulnerabilities are identified and resolved before they can threaten our production environment, all while empowering our teams to innovate and deliver high-quality software?
The Solution Architecture
Our solution started with integrating an Application Security Posture Management (ASPM) platform, providing complete control over our supply chain and Software Development Life Cycle (SDLC). This visibility extends across open-source packages, Dockerfile dependencies, and container images—everything from the far-right side of the SDLC. But visibility alone can be overwhelming. We needed to take it further by leveraging Torq’s Hyperautomation capabilities.
This diagram provides a high-level illustration of the components that participate in the Application Security events pipeline.
Program Vision
My vision was simple, but ambitious: create a seamless, automated pipeline that transforms how we manage vulnerabilities. Here’s how we did it:
- Torq Workflows: Aggregate vulnerabilities by category (open-source, SBOM, secrets) and severity, streamlining issue management.
- Centralized Case Management: A single, aggregated Torq case for each repo, simplifying investigation and eliminating redundant tickets.
- Automation at Scale: With one click, generate Jira tickets, pull requests, and Slack notifications, all customized to our R&D teams’ templates.
- Daily SLA Reminders: Automated workflows ensure SLAs are met, keeping teams on track and focused.
I used Torq’s workflows to categorize and aggregate issues, while centralized case management simplifies investigations for R&D teams. Automation facilitates generating Jira tickets, pull requests, and Slack notifications, keeping teams aligned with daily SLA reminders. Ultimately ensuring our teams can focus on what matters most—innovation without compromise. Below is an illustration of what that automated flow looks like:
The Implementation In Action
A single Torq case aggregates issues based on the severity and category within a specific repository, streamlining the work for R&D teams.
When a new issue is automatically pushed from the ASPM to Torq, it presents a comprehensive table with the relevant package, recommended upgrades, a verdict, and direct links to GitHub and ASPM findings. If the issue requires R&D attention, Torq’s quick action button can initiate a new workflow, generating a Jira ticket, a branch-based Pull Request, and notify the relevant R&D team via Slack, all while ensuring SLA compliance.
Now, with the necessary information at their fingertips, R&D teams can quickly identify and address what needs to be patched. They’re provided a direct link to the Pull Request, ensuring a seamless transition to the next steps. From here, Torq’s change management and SDLC policies take over, with the changes being reviewed, approved, and merged just like any other code, new Torq feature, or artifact.
SLA Compliance
In line with Torq’s policy, every issue is assigned a Service Level Agreement (SLA) based on severity. To ensure timely resolution, a daily automated workflow reviews open cases and notifies each R&D team of their remaining time to address these issues. This approach keeps teams on track, ensuring vulnerabilities are managed effectively without disrupting ongoing development.
When To Implement Successful Hyperautomation in SSDLC
Achieving fully automated vulnerability management may sound like an ambitious goal, but it’s essential for the velocity of modern security operations. Within Torq, we strive for a seamless process from detection to merge. Successful automation of these processes became possible:
- When the vulnerability management program is mature and well-established.
- When there are consistent, repeatable actions required for product or software updates.
- When the SDLC includes a robust testing process, acting as a safety net to catch any oversights during automation.
Conclusion: The Business Impact
The result of our efforts: A fully automated vulnerability management process that has revolutionized our approach to AppSec. We’ve slashed remediation time, improved SLA adherence, and empowered our R&D teams to deliver secure, high-quality software faster than ever. Here was the quantitative impact: