“Speed is the new currency of business.” Chairman and CEO of Salesforce Marc R. Benioff’s words are especially potent today as many organizations small and large look for ways to speed up production during their shifts to digital.
In software development, speed is a critical factor. Everything from shifting priorities to manual processes and siloed teams can seriously impede deployment schedules. One of the biggest obstacles, however, is a lack of security throughout every step of the production process to ensure that coding mistakes and flaws are found and fixed before they turn into project-derailing problems.
A lack of an efficient and flexible AppSec program becomes an issue when you look at the data:
Cyberattacks occur every 39 seconds.
60 percent of developers are releasing code 2x faster than before.
76 percent of applications have least at least one security flaw on first scan.
85 percent of orgs admit to releasing vulnerable code to production because of time restraints.
A mere 15 percent of orgs say that all of their development teams participate in formal security training.
But there’s good news, too. We know from our annual State of Software Security report that frequent scanning with the right tools in the right parts of your software development lifecycle can help your team close security findings much faster. For example, scanning via API alone cuts remediation time for 50 percent of flaws by six days, slamming that window of opportunity shut for cyberattackers.
The Veracode Static Analysis family helps you do just that. It plugs into critical parts of your software development lifecycle (SDLC), providing automated feedback right in your IDE and pipeline so that your developers can improve the quality of their code while they work.
You can also run a full policy scan before deployment to understand what your developers need to focus on and to prove compliance. Together, these scans throughout My Code, Our Code, and Production Code boost quality and security to reduce the risk of an expensive and time-consuming breach down the road.
Automation and developer education
In addition to having the right scans in the right places, there are supporting steps you can take to ensure the quality of your code without sacrificing speed. Automation through integrations is an important piece of the puzzle because it speeds everything up and boosts efficiency. The automated feedback from Veracode Static Analysis means your team of developers has clear insight into existing flaws so they can begin prioritization to eliminate the biggest risks first. Automation also sets the standard for consistency which, as you go, improves speed.
Developer education also helps close gaps in information and communication with security counterparts so that they can work towards a common goal. It goes both ways – if the security leaders at your organization can walk the walk and talk the talk of the developer, everyone will have an easier time communicating goals and solving security problems.
One way to close those gaps is through hands-on developer education with a tool like Veracode Security Labs. The platform utilizes real applications in contained environments that developers can hack or patch in real-time so that they learn to think like an attacker and stay one step ahead. Like Static Analysis, Security Labs helps meet compliance needs too, with customized education in the languages your developers use most.
The prioritization conundrum
Security debt can feel like a horror movie villain as it lingers in the background. But it isn’t always teeming with high-risk flaws that should be tackled first, and so it’s important to carefully consider how to approach prioritization. A recent analyst report, Building an Enterprise DevSecOps Program, found that everything can feel like a priority:
“During our research many security pros told us that all vulnerabilities started looking like high priorities, and it was incredibly difficult to differentiate a vulnerability with impact on the organization from one which did not,” the report states.
The security leaders in your organization should take charge, helping developers understand what should be addressed first during development, and also what they should keep an eye on or revisit later. This not only helps your developers fix flaws on the fly while coding, but it keeps them sharp when it comes to future prioritization needs and the ability to chip away at security debt effectively.
Learn more about how to secure your entire SDLC without sacrificing speed by browsing this eBook.
*** This is a Security Bloggers Network syndicated blog from Application Security Research, News, and Education Blog authored by [email protected] (mmcbee). Read the original post at: https://www.veracode.com/blog/secure-development/speed-or-security-dont-compromise