Security Automation and Orchestration

From 40 Hours to 4 Hours: Automating Security Response

Every Monday morning started the same way: a mountain of security alerts waiting for triage. Our security dashboard showed:

347 new vulnerability findings
89 containers flagged for outdated dependencies
23 Terraform misconfigurations
156 failed security scans
12 potential security incidents

The security team spent 40 hours every week manually reviewing these alerts:

Categorizing severity
Determining which services were affected
Creating Jira tickets
Notifying service owners
Tracking remediation
Following up on overdue fixes

We were drowning in alerts. Critical issues got lost in the noise. The team was burned out. We couldn't scale—hiring more people wouldn't solve a process problem.

Then I built our security automation platform. Automated triage, automatic remediation, self-service security fixes, intelligent escalation. The same work that took 40 hours now takes 4 hours—and the critical issues never slip through because machines don't get fatigued.

The results:

90% reduction in manual triage time
Mean Time to Remediate (MTTR) dropped from 21 days to 3 days
Zero critical vulnerabilities escaping to production
Security team focused on strategy, not busywork

This article covers every automation I built to transform our security operations.

What You'll Learn

Security Orchestration, Automation, and Response (SOAR) fundamentals
Automated vulnerability triage and prioritization
Auto-remediation patterns and safety
Automated PR creation for security fixes
Security ChatOps with Slack
Incident response automation
Self-healing security systems
Metrics and monitoring automation

The Security Automation Stack

Automated Vulnerability Triage

Stop manually sorting through thousands of findings.

Triage Automation System

// src/automation/vulnerability-triage.js
const { PrismaClient } = require('@prisma/client');
const prisma = new PrismaClient();

class VulnerabilityTriageAutomation {
  async processVulnerability(vuln) {
    // Calculate risk score
    const riskScore = this.calculateRiskScore(vuln);
    
    // Determine priority
    const priority = this.determinePriority(vuln, riskScore);
    
    // Check if auto-remediation is possible
    const canAutoFix = await this.canAutoRemediate(vuln);
    
    // Check for duplicates
    const isDuplicate = await this.checkDuplicate(vuln);
    if (isDuplicate) {
      return { action: 'ignore', reason: 'duplicate' };
    }
    
    // Check if already fixed
    const isFixed = await this.checkIfFixed(vuln);
    if (isFixed) {
      return { action: 'close', reason: 'already_fixed' };
    }
    
    // Create or update tracking issue
    const issue = await this.createOrUpdateIssue(vuln, priority, riskScore);
    
    // Route based on priority and auto-fix capability
    if (canAutoFix && priority !== 'CRITICAL') {
      return await this.autoRemediate(vuln, issue);
    } else if (priority === 'CRITICAL') {
      return await this.escalate(vuln, issue);
    } else {
      return await this.notifyOwner(vuln, issue);
    }
  }

  calculateRiskScore(vuln) {
    let score = 0;
    
    // Base score from CVSS
    score += (vuln.cvssScore || 0) * 10;
    
    // Environment multipliers
    if (vuln.environment === 'production') score *= 2;
    if (vuln.internetFacing) score *= 1.5;
    if (vuln.hasExploit) score *= 2;
    
    // Data sensitivity
    const dataClassification = vuln.service.dataClassification;
    if (dataClassification === 'pci-dss') score *= 1.8;
    if (dataClassification === 'pii') score *= 1.5;
    
    // Service criticality
    if (vuln.service.tier === 'tier-1') score *= 1.5;
    
    // Age of vulnerability
    const daysOld = this.getDaysOld(vuln.publishedDate);
    if (daysOld > 90) score *= 1.3;
    
    return Math.min(score, 100); // Cap at 100
  }

  determinePriority(vuln, riskScore) {
    if (riskScore >= 80 || vuln.severity === 'CRITICAL') {
      return 'CRITICAL'; // Fix immediately
    } else if (riskScore >= 60 || vuln.severity === 'HIGH') {
      return 'HIGH'; // Fix within 7 days
    } else if (riskScore >= 40 || vuln.severity === 'MEDIUM') {
      return 'MEDIUM'; // Fix within 30 days
    } else {
      return 'LOW'; // Fix within 90 days
    }
  }

  async canAutoRemediate(vuln) {
    // Check if we have an auto-fix strategy
    const strategies = await prisma.remediationStrategy.findMany({
      where: {
        OR: [
          { cveId: vuln.cveId },
          { packageName: vuln.package.name }
        ]
      }
    });
    
    if (strategies.length === 0) return false;
    
    // Check if the fix version is available
    if (!vuln.fixedVersion) return false;
    
    // Check if the package is directly managed (not transitive)
    if (vuln.isDirect === false) return false;
    
    // Check if there are breaking changes
    const hasBreakingChanges = await this.checkBreakingChanges(
      vuln.package.name,
      vuln.installedVersion,
      vuln.fixedVersion
    );
    
    return !hasBreakingChanges;
  }

  async checkDuplicate(vuln) {
    const existing = await prisma.vulnerability.findFirst({
      where: {
        cveId: vuln.cveId,
        serviceId: vuln.serviceId,
        status: { not: 'RESOLVED' }
      }
    });
    
    return !!existing;
  }

  async checkIfFixed(vuln) {
    // Check if service has been updated since vuln was found
    const service = await prisma.service.findUnique({
      where: { id: vuln.serviceId },
      include: { deployments: { take: 1, orderBy: { createdAt: 'desc' } } }
    });
    
    if (!service.deployments[0]) return false;
    
    const lastDeploy = service.deployments[0];
    
    // Scan the latest deployment
    const latestScan = await this.scanDeployment(lastDeploy.id);
    
    // Check if vulnerability still exists
    return !latestScan.vulnerabilities.some(v => v.cveId === vuln.cveId);
  }

  async createOrUpdateIssue(vuln, priority, riskScore) {
    const issueData = {
      title: `[${vuln.severity}] ${vuln.cveId}: ${vuln.package.name}`,
      description: this.generateIssueDescription(vuln, riskScore),
      labels: [
        'security',
        `severity:${vuln.severity.toLowerCase()}`,
        `priority:${priority.toLowerCase()}`,
        vuln.package.ecosystem
      ],
      priority: priority,
      dueDate: this.calculateDueDate(priority),
      assignee: vuln.service.owner
    };
    
    // Create Jira ticket
    const jiraIssue = await this.jira.createIssue(issueData);
    
    // Store in database
    const issue = await prisma.securityIssue.create({
      data: {
        vulnerabilityId: vuln.id,
        jiraKey: jiraIssue.key,
        priority: priority,
        riskScore: riskScore,
        status: 'OPEN',
        dueDate: issueData.dueDate
      }
    });
    
    return issue;
  }

  generateIssueDescription(vuln, riskScore) {
    return `
## Vulnerability Details

**CVE:** ${vuln.cveId}
**Package:** ${vuln.package.name}@${vuln.installedVersion}
**Severity:** ${vuln.severity} (CVSS: ${vuln.cvssScore})
**Risk Score:** ${riskScore}/100

**Service:** ${vuln.service.name}
**Environment:** ${vuln.environment}
**Internet Facing:** ${vuln.internetFacing ? 'Yes ⚠️' : 'No'}

## Impact

${vuln.description}

## Remediation

**Fixed in:** ${vuln.fixedVersion || 'No fix available'}

${vuln.fixedVersion ? `
### Auto-remediation Available

A pull request can be automatically created to upgrade this dependency.

\`\`\`bash
# Manual fix:
npm install ${vuln.package.name}@${vuln.fixedVersion}
\`\`\`
` : ''}

## Timeline

**Published:** ${vuln.publishedDate}
**Detected:** ${vuln.detectedAt}
**Must fix by:** ${this.calculateDueDate(this.determinePriority(vuln, riskScore))}

## References

- [CVE Details](https://nvd.nist.gov/vuln/detail/${vuln.cveId})
- [Package Advisory](${vuln.advisoryUrl})
`;
  }

  getDaysOld(date) {
    return Math.floor((Date.now() - new Date(date)) / (1000 * 60 * 60 * 24));
  }

  calculateDueDate(priority) {
    const daysToAdd = {
      CRITICAL: 1,
      HIGH: 7,
      MEDIUM: 30,
      LOW: 90
    }[priority];
    
    const date = new Date();
    date.setDate(date.getDate() + daysToAdd);
    return date;
  }
}

module.exports = VulnerabilityTriageAutomation;

Automated Remediation

Auto-fix vulnerabilities that are safe to fix automatically.

Auto-Remediation Engine

// src/automation/auto-remediation.js
const { Octokit } = require('@octokit/rest');
const semver = require('semver');

class AutoRemediationEngine {
  constructor() {
    this.octokit = new Octokit({ auth: process.env.GITHUB_TOKEN });
  }

  async autoRemediate(vuln, issue) {
    console.log(`🔧 Auto-remediating ${vuln.cveId}...`);
    
    // Get repository info
    const repo = await this.getRepository(vuln.serviceId);
    
    // Create feature branch
    const branchName = `security/auto-fix-${vuln.cveId}-${Date.now()}`;
    await this.createBranch(repo, branchName);
    
    // Update dependency file
    const updateResult = await this.updateDependency(
      repo,
      branchName,
      vuln.package.name,
      vuln.fixedVersion
    );
    
    if (!updateResult.success) {
      return { success: false, reason: updateResult.error };
    }
    
    // Run tests in CI
    const pr = await this.createPullRequest(repo, branchName, vuln, issue);
    
    // Monitor CI status
    await this.monitorCI(repo, pr.number);
    
    // Auto-merge if tests pass and it's not a major version bump
    if (this.canAutoMerge(vuln)) {
      await this.autoMerge(repo, pr.number);
    }
    
    return { success: true, pr: pr.html_url };
  }

  async updateDependency(repo, branch, packageName, version) {
    try {
      // Determine package manager
      const packageManager = await this.detectPackageManager(repo);
      
      switch (packageManager) {
        case 'npm':
          return await this.updateNpmDependency(repo, branch, packageName, version);
        case 'pip':
          return await this.updatePipDependency(repo, branch, packageName, version);
        case 'maven':
          return await this.updateMavenDependency(repo, branch, packageName, version);
        default:
          throw new Error(`Unsupported package manager: ${packageManager}`);
      }
    } catch (error) {
      return { success: false, error: error.message };
    }
  }

  async updateNpmDependency(repo, branch, packageName, version) {
    // Get current package.json
    const { data: file } = await this.octokit.repos.getContent({
      owner: repo.owner,
      repo: repo.name,
      path: 'package.json',
      ref: branch
    });
    
    const content = Buffer.from(file.content, 'base64').toString();
    const packageJson = JSON.parse(content);
    
    // Update version
    if (packageJson.dependencies?.[packageName]) {
      packageJson.dependencies[packageName] = `^${version}`;
    }
    if (packageJson.devDependencies?.[packageName]) {
      packageJson.devDependencies[packageName] = `^${version}`;
    }
    
    // Commit updated file
    await this.octokit.repos.createOrUpdateFileContents({
      owner: repo.owner,
      repo: repo.name,
      path: 'package.json',
      message: `fix(security): upgrade ${packageName} to ${version}`,
      content: Buffer.from(JSON.stringify(packageJson, null, 2)).toString('base64'),
      branch: branch,
      sha: file.sha
    });
    
    // Also update package-lock.json if it exists
    try {
      await this.updatePackageLock(repo, branch);
    } catch (e) {
      // package-lock.json might not exist
    }
    
    return { success: true };
  }

  async createPullRequest(repo, branch, vuln, issue) {
    const pr = await this.octokit.pulls.create({
      owner: repo.owner,
      repo: repo.name,
      title: `🔒 Security: Fix ${vuln.cveId} by upgrading ${vuln.package.name}`,
      head: branch,
      base: 'main',
      body: this.generatePRBody(vuln, issue),
      maintainer_can_modify: true
    });
    
    // Add labels
    await this.octokit.issues.addLabels({
      owner: repo.owner,
      repo: repo.name,
      issue_number: pr.data.number,
      labels: ['security', 'automated', 'dependencies']
    });
    
    // Link to Jira issue
    await this.linkToJira(issue.jiraKey, pr.data.html_url);
    
    return pr.data;
  }

  generatePRBody(vuln, issue) {
    const versionDiff = this.getVersionDiff(vuln.installedVersion, vuln.fixedVersion);
    
    return `## 🔒 Security Fix: ${vuln.cveId}

This automated PR fixes a **${vuln.severity}** severity vulnerability in \`${vuln.package.name}\`.

### Vulnerability Details

| Field | Value |
|-------|-------|
| **CVE** | ${vuln.cveId} |
| **Severity** | ${vuln.severity} (CVSS: ${vuln.cvssScore}) |
| **Package** | ${vuln.package.name} |
| **Current Version** | ${vuln.installedVersion} |
| **Fixed Version** | ${vuln.fixedVersion} |
| **Version Change** | ${versionDiff} |

### Impact

${vuln.description}

### Changes

- ⬆️ Upgraded \`${vuln.package.name}\` from \`${vuln.installedVersion}\` to \`${vuln.fixedVersion}\`

### Testing

- [ ] Automated tests pass
- [ ] Manual testing completed
- [ ] No breaking changes detected

### References

- [JIRA Issue: ${issue.jiraKey}](${this.jiraUrl}/${issue.jiraKey})
- [CVE Details](https://nvd.nist.gov/vuln/detail/${vuln.cveId})
- [Package Advisory](${vuln.advisoryUrl})

---

**🤖 This is an automated security fix.** 
${versionDiff.includes('MAJOR') ? '⚠️ **Major version upgrade** - requires manual review before merging.' : '✅ Safe to auto-merge after tests pass.'}

**Auto-generated by Security Automation Platform**
`;
  }

  getVersionDiff(current, fixed) {
    if (semver.major(fixed) > semver.major(current)) {
      return `MAJOR (${current} → ${fixed})`;
    } else if (semver.minor(fixed) > semver.minor(current)) {
      return `MINOR (${current} → ${fixed})`;
    } else {
      return `PATCH (${current} → ${fixed})`;
    }
  }

  canAutoMerge(vuln) {
    // Only auto-merge patch and minor versions
    const current = vuln.installedVersion;
    const fixed = vuln.fixedVersion;
    
    return semver.major(fixed) === semver.major(current);
  }

  async monitorCI(repo, prNumber) {
    // Wait for CI checks to complete
    const maxWait = 30 * 60 * 1000; // 30 minutes
    const checkInterval = 30 * 1000; // 30 seconds
    let waited = 0;
    
    while (waited < maxWait) {
      const { data: checks } = await this.octokit.checks.listForRef({
        owner: repo.owner,
        repo: repo.name,
        ref: `refs/pull/${prNumber}/head`
      });
      
      const allComplete = checks.check_runs.every(
        run => run.status === 'completed'
      );
      
      if (allComplete) {
        const allPassed = checks.check_runs.every(
          run => run.conclusion === 'success'
        );
        return allPassed;
      }
      
      await this.sleep(checkInterval);
      waited += checkInterval;
    }
    
    return false; // Timeout
  }

  async autoMerge(repo, prNumber) {
    await this.octokit.pulls.merge({
      owner: repo.owner,
      repo: repo.name,
      pull_number: prNumber,
      merge_method: 'squash',
      commit_title: `🔒 Security: Auto-merge vulnerability fix`,
      commit_message: 'Automatically merged by Security Automation Platform'
    });
    
    console.log(`✅ Auto-merged PR #${prNumber}`);
  }

  sleep(ms) {
    return new Promise(resolve => setTimeout(resolve, ms));
  }
}

module.exports = AutoRemediationEngine;

Security ChatOps with Slack

Bring security operations into Slack for visibility and collaboration.

Slack Security Bot

// src/automation/slack-security-bot.js
const { WebClient } = require('@slack/web-api');
const { createEventAdapter } = require('@slack/events-api');

class SecuritySlackBot {
  constructor() {
    this.client = new WebClient(process.env.SLACK_BOT_TOKEN);
    this.slackEvents = createEventAdapter(process.env.SLACK_SIGNING_SECRET);
    
    this.setupEventHandlers();
  }

  setupEventHandlers() {
    // Handle slash commands
    this.slackEvents.on('app_mention', this.handleMention.bind(this));
  }

  async notifyCriticalVulnerability(vuln, issue) {
    const blocks = [
      {
        type: 'header',
        text: {
          type: 'plain_text',
          text: `🚨 Critical Vulnerability: ${vuln.cveId}`,
          emoji: true
        }
      },
      {
        type: 'section',
        fields: [
          {
            type: 'mrkdwn',
            text: `*Service:*\n${vuln.service.name}`
          },
          {
            type: 'mrkdwn',
            text: `*Severity:*\n${vuln.severity} (${vuln.cvssScore})`
          },
          {
            type: 'mrkdwn',
            text: `*Package:*\n\`${vuln.package.name}@${vuln.installedVersion}\``
          },
          {
            type: 'mrkdwn',
            text: `*Fixed In:*\n\`${vuln.fixedVersion}\``
          }
        ]
      },
      {
        type: 'section',
        text: {
          type: 'mrkdwn',
          text: `*Impact:* ${vuln.description}`
        }
      },
      {
        type: 'actions',
        elements: [
          {
            type: 'button',
            text: {
              type: 'plain_text',
              text: '🔧 Auto-Fix',
              emoji: true
            },
            style: 'primary',
            value: `autofix_${vuln.id}`,
            action_id: 'autofix_vulnerability'
          },
          {
            type: 'button',
            text: {
              type: 'plain_text',
              text: '👀 View Details',
              emoji: true
            },
            url: `${this.jiraUrl}/${issue.jiraKey}`
          },
          {
            type: 'button',
            text: {
              type: 'plain_text',
              text: '⏭️ Ignore',
              emoji: true
            },
            style: 'danger',
            value: `ignore_${vuln.id}`,
            action_id: 'ignore_vulnerability'
          }
        ]
      }
    ];
    
    const channel = this.getSecurityChannel(vuln.severity);
    
    await this.client.chat.postMessage({
      channel: channel,
      blocks: blocks,
      text: `Critical vulnerability found: ${vuln.cveId}`
    });
  }

  async notifyAutoFixComplete(vuln, pr) {
    await this.client.chat.postMessage({
      channel: this.getSecurityChannel(vuln.severity),
      blocks: [
        {
          type: 'section',
          text: {
            type: 'mrkdwn',
            text: `✅ *Auto-fix completed for ${vuln.cveId}*\n\nPR created: ${pr.html_url}`
          }
        }
      ]
    });
  }

  async sendDailySummary() {
    const stats = await this.getSecurityStats();
    
    const blocks = [
      {
        type: 'header',
        text: {
          type: 'plain_text',
          text: '📊 Daily Security Summary',
          emoji: true
        }
      },
      {
        type: 'section',
        fields: [
          {
            type: 'mrkdwn',
            text: `*New Vulnerabilities:*\n${stats.newVulnerabilities}`
          },
          {
            type: 'mrkdwn',
            text: `*Fixed Today:*\n${stats.fixedToday}`
          },
          {
            type: 'mrkdwn',
            text: `*Auto-Fixed:*\n${stats.autoFixed}`
          },
          {
            type: 'mrkdwn',
            text: `*Awaiting Review:*\n${stats.awaitingReview}`
          }
        ]
      },
      {
        type: 'divider'
      },
      {
        type: 'section',
        text: {
          type: 'mrkdwn',
          text: `*Top Issues:*\n${this.formatTopIssues(stats.topIssues)}`
        }
      }
    ];
    
    await this.client.chat.postMessage({
      channel: '#security',
      blocks: blocks
    });
  }

  getSecurityChannel(severity) {
    return severity === 'CRITICAL' ? '#security-critical' : '#security';
  }

  formatTopIssues(issues) {
    return issues
      .slice(0, 5)
      .map((issue, i) => `${i + 1}. ${issue.cveId} - ${issue.service}`)
      .join('\n');
  }
}

module.exports = SecuritySlackBot;

Incident Response Automation

Automate the security incident response workflow.

Incident Response Playbook

// src/automation/incident-response.js
class IncidentResponseAutomation {
  async handleSecurityIncident(incident) {
    console.log(`🚨 Handling security incident: ${incident.id}`);
    
    // Execute response playbook
    const playbook = await this.getPlaybook(incident.type);
    
    for (const step of playbook.steps) {
      try {
        await this.executeStep(step, incident);
      } catch (error) {
        await this.escalate(incident, step, error);
      }
    }
  }

  async executeStep(step, incident) {
    console.log(`📋 Executing step: ${step.name}`);
    
    switch (step.action) {
      case 'isolate_service':
        return await this.isolateService(incident.serviceId);
      
      case 'block_ip':
        return await this.blockIP(incident.sourceIP);
      
      case 'rotate_credentials':
        return await this.rotateCredentials(incident.affectedCredentials);
      
      case 'notify_team':
        return await this.notifyTeam(incident);
      
      case 'create_ticket':
        return await this.createIncidentTicket(incident);
      
      case 'collect_evidence':
        return await this.collectEvidence(incident);
      
      case 'trigger_pagerduty':
        return await this.triggerPagerDuty(incident);
      
      default:
        throw new Error(`Unknown action: ${step.action}`);
    }
  }

  async isolateService(serviceId) {
    console.log(`🔒 Isolating service ${serviceId}...`);
    
    // Scale to zero replicas
    await kubectl.patch('deployment', serviceId, {
      spec: { replicas: 0 }
    });
    
    // Update network policy to deny all traffic
    await kubectl.apply({
      apiVersion: 'networking.k8s.io/v1',
      kind: 'NetworkPolicy',
      metadata: {
        name: `${serviceId}-incident-isolation`,
        namespace: 'production'
      },
      spec: {
        podSelector: {
          matchLabels: { app: serviceId }
        },
        policyTypes: ['Ingress', 'Egress'],
        ingress: [],
        egress: []
      }
    });
    
    console.log(`✅ Service ${serviceId} isolated`);
  }

  async blockIP(ip) {
    console.log(`🚫 Blocking IP ${ip}...`);
    
    // Add to WAF block list
    await aws.wafv2.updateIPSet({
      Name: 'BlockedIPs',
      Id: process.env.WAF_IP_SET_ID,
      Scope: 'REGIONAL',
      Addresses: [ip]
    });
    
    // Add to CloudFlare block list
    await cloudflare.firewallAccessRules.create({
      mode: 'block',
      configuration: { target: 'ip', value: ip },
      notes: `Auto-blocked by incident response: ${new Date()}`
    });
    
    console.log(`✅ IP ${ip} blocked`);
  }

  async rotateCredentials(credentials) {
    console.log(`🔑 Rotating ${credentials.length} credentials...`);
    
    for (const cred of credentials) {
      switch (cred.type) {
        case 'aws_key':
          await this.rotateAWSKey(cred.keyId);
          break;
        case 'database':
          await this.rotateDatabasePassword(cred.connectionString);
          break;
        case 'api_key':
          await this.rotateAPIKey(cred.keyId);
          break;
      }
    }
    
    console.log(`✅ Credentials rotated`);
  }

  async triggerPagerDuty(incident) {
    await pagerduty.incidents.create({
      incident: {
        type: 'incident',
        title: `Security Incident: ${incident.type}`,
        service: {
          id: process.env.PAGERDUTY_SERVICE_ID,
          type: 'service_reference'
        },
        urgency: 'high',
        body: {
          type: 'incident_body',
          details: JSON.stringify(incident, null, 2)
        }
      }
    });
  }
}

module.exports = IncidentResponseAutomation;

Metrics and Reporting Automation

Track security metrics automatically.

Security Metrics Collector

// src/automation/metrics-collector.js
const { InfluxDB, Point } = require('@influxdata/influxdb-client');

class SecurityMetricsCollector {
  constructor() {
    this.influx = new InfluxDB({
      url: process.env.INFLUX_URL,
      token: process.env.INFLUX_TOKEN
    });
    this.writeApi = this.influx.getWriteApi('security', 'metrics');
  }

  async collectMetrics() {
    // Vulnerability metrics
    await this.collectVulnerabilityMetrics();
    
    // Remediation metrics
    await this.collectRemediationMetrics();
    
    // Compliance metrics
    await this.collectComplianceMetrics();
    
    // Coverage metrics
    await this.collectCoverageMetrics();
    
    await this.writeApi.flush();
  }

  async collectVulnerabilityMetrics() {
    const vulns = await prisma.vulnerability.groupBy({
      by: ['severity', 'status'],
      _count: true
    });
    
    for (const group of vulns) {
      const point = new Point('vulnerabilities')
        .tag('severity', group.severity)
        .tag('status', group.status)
        .intField('count', group._count);
      
      this.writeApi.writePoint(point);
    }
    
    // Mean Time to Remediate
    const mttr = await this.calculateMTTR();
    this.writeApi.writePoint(
      new Point('mttr')
        .floatField('days', mttr)
    );
  }

  async calculateMTTR() {
    const resolved = await prisma.vulnerability.findMany({
      where: { status: 'RESOLVED' },
      select: {
        detectedAt: true,
        resolvedAt: true
      }
    });
    
    const times = resolved.map(v => 
      (v.resolvedAt - v.detectedAt) / (1000 * 60 * 60 * 24)
    );
    
    return times.reduce((a, b) => a + b, 0) / times.length;
  }

  async generateWeeklyReport() {
    const startDate = new Date();
    startDate.setDate(startDate.getDate() - 7);
    
    const stats = {
      newVulnerabilities: await this.countNewVulnerabilities(startDate),
      fixedVulnerabilities: await this.countFixedVulnerabilities(startDate),
      autofixRate: await this.calculateAutofixRate(startDate),
      mttr: await this.calculateMTTR(),
      topVulnerabilities: await this.getTopVulnerabilities(10),
      securityScore: await this.calculateSecurityScore()
    };
    
    // Send report
    await this.sendReport(stats);
    
    return stats;
  }

  async calculateSecurityScore() {
    const factors = {
      criticalVulns: await this.countCriticalVulnerabilities(),
      mttr: await this.calculateMTTR(),
      coverage: await this.calculateCoverage(),
      policyCompliance: await this.calculatePolicyCompliance()
    };
    
    // Score calculation (100 = perfect)
    let score = 100;
    
    // Deduct for critical vulns
    score -= factors.criticalVulns * 10;
    
    // Deduct for high MTTR
    if (factors.mttr > 7) score -= (factors.mttr - 7) * 2;
    
    // Deduct for low coverage
    score -= (100 - factors.coverage) * 0.5;
    
    // Deduct for policy violations
    score -= (100 - factors.policyCompliance) * 0.3;
    
    return Math.max(0, Math.min(100, score));
  }
}

module.exports = SecurityMetricsCollector;

Best Practices

1. Start with High-Value Automation

// Priority order:
1. Critical vulnerability triage
2. Auto-remediation for patch versions
3. Notifications and escalation
4. Metrics and reporting
5. Complex incident response

2. Include Human-in-the-Loop for Critical Actions

// Never auto-execute without review:
- Major version upgrades
- Infrastructure changes
- Credential rotation in production
- Service isolation

3. Comprehensive Logging

// Log every automated action
logger.info('Automation executed', {
  action: 'auto_remediate',
  vulnerability: vuln.id,
  result: 'success',
  pr: pr.url,
  timestamp: new Date()
});

4. Rollback Capabilities

// Always have an undo button
async rollbackAutoFix(prNumber) {
  await this.closePR(prNumber);
  await this.revertChanges(prNumber);
  await this.notifyTeam('Auto-fix rolled back');
}

5. Gradual Rollout

// Start conservative
- Week 1: Notify only
- Week 2: Create PRs, don't merge
- Week 3: Auto-merge patch versions
- Week 4: Auto-merge minor versions

Key Takeaways

✅ Automate triage - Stop manually sorting alerts ✅ Auto-remediate safely - Patch versions, non-breaking changes ✅ ChatOps for visibility - Bring security into team workflows ✅ Incident playbooks - Automated response to common scenarios ✅ Track metrics - Measure improvement continuously ✅ Human oversight - Automation assists, humans decide on critical actions ✅ Start small, iterate - Begin with high-value, low-risk automation

What's Next

You've built automated security operations. In the final article of this series, we'll cover scaling DevSecOps to the enterprise level—building security champions programs, measuring success across 1000+ developers, and creating a sustainable security culture.

Next Article: Enterprise DevSecOps and Production Security →

Part of the DevSecOps 101 Series

PreviousSecurity Policy as Code NextEnterprise DevSecOps and Production Security

Last updated 1 month ago

hashtagFrom 40 Hours to 4 Hours: Automating Security Response

hashtagWhat You'll Learn

hashtagThe Security Automation Stack

hashtagAutomated Vulnerability Triage

hashtagTriage Automation System

hashtagAutomated Remediation

hashtagAuto-Remediation Engine

hashtagSecurity ChatOps with Slack

hashtagSlack Security Bot

hashtagIncident Response Automation

hashtagIncident Response Playbook

hashtagMetrics and Reporting Automation

hashtagSecurity Metrics Collector

hashtagBest Practices

hashtag1. Start with High-Value Automation

hashtag2. Include Human-in-the-Loop for Critical Actions

hashtag3. Comprehensive Logging

hashtag4. Rollback Capabilities

hashtag5. Gradual Rollout

hashtagKey Takeaways

hashtagWhat's Next