Under Pressure: Managing The Competing Demands of Development Velocity and Application Security

By : Patrick Carey | Wednesday, October 07 2020 - 16:15 IWST

Patrick Carey, Director, Product Marketing, Synopsys Software Integrity Group (Photo by LinkedIn)
Patrick Carey, Director, Product Marketing, Synopsys Software Integrity Group (Photo by LinkedIn)

INDUSTRY.co.id - The first software development team I worked on operated on the follow mantra:

Make it work.

Then, make it fast.

Then, make it elegant (maybe).

Meaning, don’t worry about performance optimisations until your code actually does what it’s supposed to do, and don’t worry about code maintainability until after you know it both works and performs well. Users generally have no idea how maintainable the code is, but they do know if the application is broken or slow. So more often than not, we’d never get around to refactoring the code — at least not until the code debt started to impact application reliability and performance.

Today that developer mantra has two additional lines:

Ship it sooner.

And while you’re at it, make it secure.

As with application performance and reliability, delivering an application on time is easily quantified and observed. Everybody knows when you miss a deadline — something that’s easy to do when your release cycles are measured in weeks, days, or even hours. But the security of an application isn’t so easily observed or quantified, at least not until there’s a security breach.

Why are vulnerabilities overlooked?

It should come as no surprise, then, that nearly half of the respondents to the modern application development security survey, conducted by Enterprise Strategy Group (ESG), state that their organisations regularly push vulnerable code to production. It’s also not surprising that for over half of those teams, tight delivery schedules and critical deadlines are the main contributing factor. In the presence of a deadline, what can be measured is what’s going to get done, and what can’t be (or at least isn’t) measured often doesn’t.

However, “we don’t have time to do it” doesn’t really cut it when it comes to application security. This is demonstrated by the 60% of respondents who reported that their applications have suffered OWASP Top 10 exploits during the past 12 months. The competing demands of short release cycles and improved application security are a real challenge for development and security teams.

You actually can build secure, high-quality software faster

It doesn’t have to be this way, and other findings in the survey report point to opportunities that teams have to both maintain development velocity and improve application security. Here are just a few:

Reject silver bullets. Gone are the days of security teams simply running DAST and penetration tests at the end of development. A consistent trend shown in the report is that teams are leveraging multiple types of security testing tools across the SDLC to address different forms of risk in both proprietary and open source code.

Integrate and automate. Software development is increasingly automated, and application security testing needs to be as well. Over half the respondents indicated that their security controls are highly integrated into their DevOps processes, with another 38% saying they are heading down that same path.

Train the team. Most developers lack sufficient application security knowledge to ensure their code isn’t vulnerable. Survey respondents indicated that developer knowledge is a challenge, as is consistent training. Without sufficient software security training, developers struggle to address the findings of application security tests. An effective way to remedy this is to provide “just-in-time” security training delivered through the IDE with a solution like Code Sight.

Keep score. If what gets measured gets done, then it’s important to measure the progress of both your AppSec testing and security training programs. This includes tracking the introduction and mitigation of security bugs as well as improvements to both of these metrics over time,  i.e., who is writing secure code and who isn’t, and are they improving?

News Comment

Today's Industry

Ilustration Brand phishing (Photo by Technonlogy For You)

Rabu, 21 Oktober 2020 - 15:30 WIB

Microsoft is Now Most Imitated Brand by Hackers

Microsoft soars from 5th place in Q2 to 1st place in Q3 for brand phishing attacks, making up 19% of all global phishing attacks in July, August and September.

L/R: Alwin Zecha, Founder - Pacific Leisure Group, Thailand; Hiran Cooray Chairman - Jetwing Symphony PLC, Sri Lanka; and Akbar Shareef, Chairman & Chief Executive - Rakaposhi Tours (Pvt) Ltd., Pakistan (Photo by Global Travel Media)

Jumat, 16 Oktober 2020 - 17:15 WIB

PATA Honours Industry Leaders, Pioneers and Professionals at 69th Annual General Meeting

The following awards were presented during the 69th Annual General Meeting held online PATA Gallery of Legends Award, PATA Life Membership, and PATA Chair’s Award.

Hypertherm, a U.S. Based Manufacturer of Industrial Cutting Systems and Software

Rabu, 14 Oktober 2020 - 21:30 WIB

Hypertherm Releases New CSR Report with Updates On Community Outreach, Environmental Impact, and Associate Well-Being

Hypertherm, a U.S. based manufacturer of industrial cutting systems and software, announced the release of its 2019 Corporate Social Responsibility Report.

Dr Paul Gardner-Stephen, Senior Lecturer, College of Science and Engineering, Flinders University (Photo by ICT Days)

Kamis, 24 September 2020 - 15:15 WIB

NBN Co to Spend $3bn Upgrading Half of FTTN Network to Full Fibre

In particular, the original Fibre-To-The-Premises (FTTP) plan had several key advantages that this announcement is not able to solve.

Rena Chua, Bug Bounty Advisor at HackerOne (Photo by Linkedin)

Kamis, 24 September 2020 - 14:15 WIB

How COVID-19 Is Impacting Security

With this accelerated pace of digital transformation, CISOs had to quickly facilitate new needs — while ensuring the security of existing systems and newly-acquired collaboration tools.