FEATURE : SOFTWARE
are measured in weeks , days , or even hours – the security of an application isn ’ t so easily observed or quantified , at least not until there ’ s a security breach .
It should come as no surprise , then , that nearly half of the respondents to the modern application development security survey , conducted by Enterprise Strategy Group ( ESG ), state that their organisations regularly push vulnerable code to production . It ’ s also not surprising that for over half of those teams , tight delivery schedules and critical deadlines are the main contributing factor . In the presence of a deadline , what can be measured is what ’ s going to get done , and what can ’ t be ( or at least isn ’ t ) measured often doesn ’ t get done .
However , ‘ we don ’ t have time to do it ’ doesn ’ t really cut it when it comes to application security . This is demonstrated by the 60 % of respondents who reported that their applications have suffered OWASP Top 10 exploits during the past 12 months . The competing demands of short release cycles and improved application security are a real challenge for development and security teams .
It doesn ’ t have to be this way , and other findings in the survey point to opportunities that teams have to both maintain development velocity and improve application security . Here are just a few :
Reject silver bullets
Gone are the days of security teams simply running DAST and penetration tests at the end of development . A consistent trend shown in the report is that teams are leveraging multiple types of security testing tools across the SDLC to address different forms of risk in both proprietary and open source code .
Integrate and automate
Software development is increasingly automated and application security testing needs to be too . Over half the respondents indicated that their security controls are highly integrated into their DevOps processes , with another 38 % saying they are heading down that same path .
Train the team
Most developers lack sufficient application security knowledge to ensure their code isn ’ t vulnerable . Survey respondents indicated that developer knowledge is a challenge , as is consistent training . Without sufficient software security training , developers struggle to address the findings of application security tests . An effective way to remedy this is to provide ‘ just-intime ’ security training delivered through the integrated development environment ( IDE ).
Keep score
If what gets measured gets done , then it ’ s important to measure the progress of both your AppSec testing and security training programmes . This includes tracking the introduction and mitigation of security bugs
56 INTELLIGENTCIO www . intelligentcio . com