April 10, 2019 By Joe Coletta 3 min read

In today’s ever-evolving digital trust landscape, the term DevOps has become synonymous with speed. If you want to compete, you need to build quality code quickly. Yet as quickly as companies are able to innovate, the bad guys are constantly developing new ways to exploit vulnerable applications.

With that in mind, business leaders and security managers need an application security solution that integrates into the software development life cycle (SDLC) to maintain speed to market. However, there is a delicate balance between security and speed, and striking it is an exercise in understanding your objectives and risks and empowering your developers to lead the charge.

Understand Your Application Security Objectives

If your priority is to simply check the box, so to speak, to satisfy regulatory requirements, it’s important to consider that compliance does not always equal security. That’s not to say achieving compliance is a fast or easy task, but if your goal is to prevent a breach by writing secure software, you need to go beyond just compliance.

Most regulatory requirements are painted with a broad brush and don’t take the nuances of your application into consideration. Compliance is a point-in-time endeavor to check a specific set of requirements that could quickly become irrelevant given the lightning-fast pace of application development. That’s why instituting security throughout the development pipeline is crucial to delivering secure code on time. When security is baked into your application’s DNA from the start, compliance should come easy. Furthermore, you can set yourself apart from the rest of the market by establishing security policies based on the needs of the business.

What Makes a Balanced AppSec Program?

There’s a common misconception that only certain types of application testing can match the speed of Agile or DevOps methodologies. Because of this, many organizations will settle for the type of application testing solution they think satisfies their delivery timelines.

There is no single magic bullet that will provide end-to-end security coverage across your entire app portfolio. Static analysis cannot test for broken authentication, just like dynamic analysis cannot test for insecure data flows. It takes a balanced approach to testing and leveraging different technologies to have a fully mature application security program.

The good news is that application security technology has advanced leaps and bounds over the last decade and is shifting left with the rest of the industry. Static analysis can be integrated at the earliest stages of the development life cycle, and dynamic analysis can be applied to QA testing and even functional testing to only check for certain code changes. Taking the time to understand your risk tolerance and adopting the right blend of technologies can help ensure that you’re delivering quality secure code on time.

Empower Your Developers to Be Security Standard-Bearers

Part of the nuance of balancing security and speed is finding security flaws quickly so you can remediate rapidly. You may have had a high school coach or teacher who taught you how to fail so that you may learn from your mistakes. The same applies to security.

It’s important to recognize real security vulnerabilities early and have an action plan in place to remediate them before they are pushed into production. A major component of this approach is a development team that is backed by a thorough security training curriculum and empowered to take remediation into its own hands. For starters, consider the most common recurring security flaws across your applications, such as SQL injection or cross-site scripting (XSS), and develop a pointed training curriculum to educate developers on recognizing and remediating those flaws accordingly.

Take the time to understand the different types of vulnerabilities and their context within your applications’ design. Naturally, you’ll want to address any high-severity flaws, but also consider whether they can be exploited by an attacker. Is this a critical vulnerability? Is the function within the call path of the application? Chances are, there are dozens of medium-severity vulnerabilities that have a higher risk of exploitation than any of the high-severity ones.

All Apps Are Not Created Equal

Not all applications are created equal, because all applications do not pose the same level of risk across the board. You need to have a way to manage and prioritize your risks — not to mention scarce resources — across your application landscape.

Unfortunately, we don’t live in a perfect world. However, having a grasp of your application landscape, applying the right technology in the right place and empowering your developers to take ownership of secure coding practices will ensure that you don’t have to pick sides in balancing speed and security.

More from Application Security

What’s up India? PixPirate is back and spreading via WhatsApp

8 min read - This blog post is the continuation of a previous blog regarding PixPirate malware. If you haven’t read the initial post, please take a couple of minutes to get caught up before diving into this content. PixPirate malware consists of two components: a downloader application and a droppee application, and both are custom-made and operated by the same fraudster group. Although the traditional role of a downloader is to install the droppee on the victim device, with PixPirate, the downloader also…

PixPirate: The Brazilian financial malware you can’t see

10 min read - Malicious software always aims to stay hidden, making itself invisible so the victims can’t detect it. The constantly mutating PixPirate malware has taken that strategy to a new extreme. PixPirate is a sophisticated financial remote access trojan (RAT) malware that heavily utilizes anti-research techniques. This malware’s infection vector is based on two malicious apps: a downloader and a droppee. Operating together, these two apps communicate with each other to execute the fraud. So far, IBM Trusteer researchers have observed this…

From federation to fabric: IAM’s evolution

15 min read - In the modern day, we’ve come to expect that our various applications can share our identity information with one another. Most of our core systems federate seamlessly and bi-directionally. This means that you can quite easily register and log in to a given service with the user account from another service or even invert that process (technically possible, not always advisable). But what is the next step in our evolution towards greater interoperability between our applications, services and systems?Identity and…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today