How AppSec Reduces Unplanned Work
Unplanned work is the enemy of productivity.
Join the DZone community and get the full member experience.Join For Free
Unplanned Work in Software Development
Software development is about delivering software on time, and it’s about planned activity toward that delivery. But it is also about delivering quality, secure software. And that means that anytime you find a security issue that you need to resolve, it’s an instance of unplanned work. This unplanned work is going to cost time and money, and reduce your capacity to do planned work. In contrast, reducing the amount of unplanned work will boost your capacity for planned work. The bottom line here is that if you reduce the number of security-related defects introduced into your software, your software development will become more effective. Furthermore, if you can tackle your unplanned work in a more efficient way – in this case, remediating software-related defects – you reap even greater productivity benefits.
In the end, implementing an effective application security program will save you money and increase business agility. It will increase the capacity for your business to deliver software that has value. But the key word there is “effective” – application security done right will produce these benefits, application security done wrong will slow your process down and end up costing you money. This involves expanding your application focus beyond finding and fixing – it’s prevention that is going to make the biggest difference to your bottom line.
Application Security Tactics That Reduce Unplanned Work
If you think about application security through the lens of unplanned work, you want it to both reduce the number of “surprise” tasks, plus make those tasks easier to handle. With that in mind, you want to make sure your application security program includes:
The flaw that’s easiest to fix is that one that’s never introduced. Most developers have had no training, either in school or on the job, on secure coding. So if your application security plan only involves scanning your code, your developers won’t know how to address the scan results, and won’t know how to avoid the same mistakes in the future. Address this problem with training on secure coding for your development teams, some kind of remediation coaching, and the creation of security champions on development teams who can help keep security issues top of mind, and help addressing security problems when they arise.
To put some numbers behind this idea – we’ve found that development teams that take advantage of secure coding eLearning improve their fix rates by 20 percent. Those that use remediation coaching see fix rates improve by as high as 88 percent.
Integration and Automation
This falls under the “make the unplanned work less painful” category. Application security that is automated and integrated into the tools development and security teams are already using makes it easier to find and address security-related defects. If you have to stop what you’re doing and switch tools to conduct a security test – you’re adding to, rather than easing, your unplanned work. Also, with security testing integrated into early development phases, you’re addressing security defects much more quickly and inexpensively than if you wait until later in development phases.
Application security can reduce unplanned work and boost your bottom line, but only if you ensure that you implement a program that goes beyond identifying security-related defects to focus on both ease of identification and remediation and on prevention.
For More Info
Get more details on the ROI of application security in our eBook, Making Application Security Pay.
Published at DZone with permission of Suzanne Ciccone. See the original article here.
Opinions expressed by DZone contributors are their own.