In today’s ever-evolving digital trust landscape, the term DevOps has become synonymous with speed. If you want to compete, you need to build quality code quickly. Yet as quickly as companies are able to innovate, the bad guys are constantly developing new ways to exploit vulnerable applications.
With that in mind, business leaders and security managers need an application security solution that integrates into the software development life cycle (SDLC) to maintain speed to market. However, there is a delicate balance between security and speed, and striking it is an exercise in understanding your objectives and risks and empowering your developers to lead the charge.
Understand Your Application Security Objectives
If your priority is to simply check the box, so to speak, to satisfy regulatory requirements, it’s important to consider that compliance does not always equal security. That’s not to say achieving compliance is a fast or easy task, but if your goal is to prevent a breach by writing secure software, you need to go beyond just compliance.
Most regulatory requirements are painted with a broad brush and don’t take the nuances of your application into consideration. Compliance is a point-in-time endeavor to check a specific set of requirements that could quickly become irrelevant given the lightning-fast pace of application development. That’s why instituting security throughout the development pipeline is crucial to delivering secure code on time. When security is baked into your application’s DNA from the start, compliance should come easy. Furthermore, you can set yourself apart from the rest of the market by establishing security policies based on the needs of the business.
What Makes a Balanced AppSec Program?
There’s a common misconception that only certain types of application testing can match the speed of Agile or DevOps methodologies. Because of this, many organizations will settle for the type of application testing solution they think satisfies their delivery timelines.
There is no single magic bullet that will provide end-to-end security coverage across your entire app portfolio. Static analysis cannot test for broken authentication, just like dynamic analysis cannot test for insecure data flows. It takes a balanced approach to testing and leveraging different technologies to have a fully mature application security program.
The good news is that application security technology has advanced leaps and bounds over the last decade and is shifting left with the rest of the industry. Static analysis can be integrated at the earliest stages of the development life cycle, and dynamic analysis can be applied to QA testing and even functional testing to only check for certain code changes. Taking the time to understand your risk tolerance and adopting the right blend of technologies can help ensure that you’re delivering quality secure code on time.
Empower Your Developers to Be Security Standard-Bearers
Part of the nuance of balancing security and speed is finding security flaws quickly so you can remediate rapidly. You may have had a high school coach or teacher who taught you how to fail so that you may learn from your mistakes. The same applies to security.
It’s important to recognize real security vulnerabilities early and have an action plan in place to remediate them before they are pushed into production. A major component of this approach is a development team that is backed by a thorough security training curriculum and empowered to take remediation into its own hands. For starters, consider the most common recurring security flaws across your applications, such as SQL injection or cross-site scripting (XSS), and develop a pointed training curriculum to educate developers on recognizing and remediating those flaws accordingly.
Take the time to understand the different types of vulnerabilities and their context within your applications’ design. Naturally, you’ll want to address any high-severity flaws, but also consider whether they can be exploited by an attacker. Is this a critical vulnerability? Is the function within the call path of the application? Chances are, there are dozens of medium-severity vulnerabilities that have a higher risk of exploitation than any of the high-severity ones.
All Apps Are Not Created Equal
Not all applications are created equal, because all applications do not pose the same level of risk across the board. You need to have a way to manage and prioritize your risks — not to mention scarce resources — across your application landscape.
Unfortunately, we don’t live in a perfect world. However, having a grasp of your application landscape, applying the right technology in the right place and empowering your developers to take ownership of secure coding practices will ensure that you don’t have to pick sides in balancing speed and security.
Product Marketing Manager - App Security IBM
Joe is the Product Marketing Manager for IBM Security's Application Security segment. His previous experience as an AppSec program consultant and content mar...