Removing the Barriers to Secure Development and Scalable App Security

It is not uncommon for organizations to have “app sec programs” and not actually affect the security of their applications. What good is it if the applications coming out of that program aren’t any better than when they went in?

You have two competing objectives in your organizations:

• Keep pushing software out to market as fast as possible so that your company can stay competitive
• Stop insecure applications from making it to market

These competing objectives get stuck in a cycle: developers write more code, which accidentally introduces flaws and vulnerabilities into the applications; security scans the final application and delivers a bunch of findings back to developers, which developers have to prioritize in their backlog. However, developers cannot slow down, so they keep writing new code while trying to fix some of the old problems. They end up fixing them at about the same rate that new ones are being introduced.

This cycle continues, and while your company is practicing app sec, you are not actually producing applications that are more secure.

This is because developers build software in three primary phases: writing code, combining the team’s code together, looking at how everything integrates, and then a final application is pushed to production. However, in today’s programs, most app sec testing only happens at the final stage, which is right before an application is ready for production. Testing at this stage is extremely important in order to ensure full security coverage of the application, but it is also is the place where fixing new issues will slow down development cycles the most — this is where the dreaded “unplanned/unscheduled” work crops up.

Run Security Tests Throughout the Software Development Lifecycle

Remember back in school when you had to write papers and essays? It is very likely that you would write your paper and then submit it to your professor. You could rely on your own ability to check your paper for spelling and grammar issues. However, it is unlikely you would be able to go beyond simple problems and into things like context, flow, and accuracy. Not only that, it is plausible that, despite your best efforts, that paper would still be rife with grammar, spelling, and formatting errors as well. After all, we are all only human.

Luckily, you would have been able to use tools that check for spelling, grammar, and sentence structure while you were writing, reducing reviews to context, accuracy, and flow and saving time on the revision process so that you could move on to other assignments. Of course, your professor still needs to review the work and assign a grade to the final paper. There are things your spelling and grammar checker will not find — like the accuracy of knowledge, the flow of the entire paper, and context of the assignment. So while you use these tools to ensure that you have less work to do later on, you still need both the assistance while you are writing as well as reviews from your peers. AppSec is no different…

Instant Feedback and Contextual Education Is Key

When we put this example in the context of application development, you can take a guess as to what this does to your development team’s velocity – and therefore your organization’s ability to innovate. There was a time when developers would send their code to a QA team and would receive a laundry list of bug fixes in return. They soon realized that if they could take ownership of some of this testing while they were writing their code, they could drastically reduce the number of bugs and issues they would receive down the road. This would drop total security findings and maintain the velocity of their teams.

The same exists in the security world — developers want to know, in the moment, what the security quality of the code they are working on, so they can fix things while they work. However, they also need guidance as they go and a tool that tells them not only what issues exist but also how to fix them.

By doing this – over time – you can drastically reduce the amount of unplanned/unscheduled work that your developers have to handle: something they will really appreciate.

Reduce the Number of Flaws to Maintain Secure Application Delivery

Overall, it is crucial to reduce the number of flaws entering downstream activities, maintain development velocity for the good of your organization, and improve the adoption of your app sec program by offering developers the tools that work where, when, and how they expect them to. If you can get security and development teams on board with finding and fixing things up front, it drastically reduces the amount of work they have to do later – making app sec a help, not a hindrance.