FEATURE : SOFTWARE
MOST DEVELOPERS LACK SUFFICIENT APPLICATION SECURITY KNOWLEDGE TO ENSURE THEIR CODE ISN ’ T VULNERABLE .
at the right time can help security keep pace with development , which has moved into hyperdrive over the past few years . And still , there is a persistent perception that if some tools improve your security , more will improve it even more .
Unfortunately , it could be just the opposite . If you pile too many tools on your development team , especially if you can ’ t coordinate them on a single platform , your developers are more likely to ignore critical alerts .
Too many tools can even expand your attack surface if they don ’ t communicate securely or aren ’ t updated regularly . So what can you do ?
Take an inventory of your security tools
as well as improvements to both of these metrics over time , i . e . who is writing secure code and who isn ’ t and are they improving ?
We must also recognise that there can be too much of a good thing in terms of security tooling . ESG reported over a year ago that organisations , on average run 25 to 49 security tools from up to 10 different vendors . Some of these are monitoring tools for IT infrastructure , such as network , endpoint , wireless , identities and so on . But it applies to software development as well .
Analysts like Forrester and 451 Research have reported on security tool sprawl in the past year , noting that as many as 40 % of organisations admit that their development teams are so overwhelmed by security alerts that they can ’ t respond to at least 25 % of them . Indeed , when security alerts are so constant , they become background noise and are ignored – the exact opposite of the intent .
It shouldn ’ t be this way . The right combination of tools that run the right tests
Eliminate tool sprawl by taking a rigorous inventory and evaluating it . Know what you have and what it ’ s intended to do .
It ’ s of great importance also to make sure your tools are properly configured , deployed and are up to date . And then evaluate : are they doing what they ’ re supposed to ? Is any tool doing the same thing that another tool might be doing better ? If a security tool is inferior or redundant , get rid of it . Security clutter is the last thing you want .
Make sure tools complement one another
Be sure your tools can work together . It doesn ’ t matter that a single tool is considered best in class if it can ’ t play nice with all the others . Your tools need to integrate with one other and into your workflow , which makes it easier to embed security into the SDLC from start to finish .
As the experts say , the best way to encourage developers to add ‘ Sec ’ to DevOps is to make the secure way the easier way .
Patrick Carey , Director of Product Marketing at Synopsys
Integrate tools into your workflow
The way to make security easier , and combat security tool overload in the process , is to integrate your security tools into a single platform with a dashboard that flags bugs and other potential defects as you go . It ’ s far better than forcing developers to return to code they wrote weeks ago to deal with problems you discovered today .
High velocity development is the future , there ’ s no denying it . And while security must keep up with methodologies such as DevOps , it must be carried out in a way that enables development teams to build security into their existing processes . As the shape of software development continues to evolve , so too must the mechanisms to secure it – and that doesn ’ t simply mean an overabundance of security tooling . • www . intelligentcio . com INTELLIGENTCIO
57