It has long been common for developers to operate with tunnel vision: Driven by the demand to get their products to market first, security has traditionally been either tacked on at the end or not considered at all.
This lack of a security mandate in the development process has given rise to the recognized need for application security. Some have questioned whether institutionalized security is in order to reshape the software development culture.
While there is some legislation and governance around data loss accountability and liability as a result of a breach, these existing laws are typically regionalized, says Dan Kuykendall, senior director of application security at Rapid7. As a result, they are neither prescriptive nor effectively enforced.
"They also do nothing to promote the idea of building security into the software development culture or incentivize businesses to mandate a security-first approach," Kuykendall says. "Providing prescriptive guidelines and principles on how to build security into the software development culture and institutionalizing these practices would place everyone on equal footing when it comes to releasing software safely with regard to both liability and innovation."
Stunted Creativity: Myth or Reality?
Many have bought into the idea that secure software development stymies innovation. Kuykendall agrees that certain security approaches can slow innovation — "particularly if an organization has adopted a continuous integration/continuous deployment [CI/CD] software development process but is unwilling to invest in and adopt security approaches and tools to keep up with the speed of delivery."
However, "The CISO's Ultimate Guide to Securing Applications" report, published by Synopsys, states that the opposite is true: "Finding and fixing application vulnerabilities during development and testing is more efficient and less expensive than doing so at the end of the process, when an application is already in production."
The key is to synchronize security with the development process. "Automate where you can and integrate into the tools the developers use every day," Kuykendall advises. Security doesn't have to impede innovation; when implemented correctly, security can seamlessly integrate as part of the process developers follow and into the tools they use every day.
Putting Security into DevOps
With DevSecOps, security is at the center of development and operations, ensuring that it is part of the development life cycle. The movement was birthed from a culture of collaboration driven by those who recognize the value of an agile relationship uniting the development, quality engineering, and operations teams.
Integrating security into DevOps begins with a set of processes that foster high levels of communication and collaboration. "Organizations that are getting DevSecOps right are leveraging security as a differentiator to their customers and users," Kuykendall says. "Developers in a DevSecOps team are more mindful of risk and how their code can introduce unnecessary risk to the business and the individuals using the software they build."
More and more customers want to see that developers are very much engaged in the security conversation, not only from a "will this solution hold me up" mindset, but with a more strategic vision in mind, according to Kuykendall. "They want to know if the solutions they use will be able to scale and evolve in a way that supports their own growth and innovation," he says.
Minimizing Risk During Development
According to Verizon's "2019 Data Breach Investigation Report," Web applications were among the top three attack patterns that lead to data breaches across every sector. In the professional services industry, "Web Applications, Everything Else, and Miscellaneous Errors represent 81% of breaches," it states.
As the industry continues to see progress in building more secure applications, a focus on both people and technology will help to advance the DevSecOps movement.
"To address application security before development is complete, it's essential to build security into your development teams (people), processes, and tools (technology). An increasingly popular term for that is “shift left” — make security part of the software development life cycle (SDLC) from the concept and design stage right through the entire development process to production," the Synopsys report states.
Aware of the risks inherent in software, businesses are recognizing the need for application security and developing what WhiteHat Security says resembles a "software production line," according to a 2018 report, "The Evolution of the Secure Software Lifecycle."
Security organizations that have started to move the needle on application security are "working hand-in-hand with operations to automate security testing, packaging, and delivery of these applications. In concert with this trend, application security testing is becoming embedded into each phase of the Software Production Line rather than getting bolted on at the end," the report states.
(Image: Adobe Stock)Kacy Zurkus is a cybersecurity and InfoSec freelance writer as well as a content producer for Reed Exhibition's security portfolio. Zurkus is a regular contributor to Security Boulevard and IBM's Security Intelligence. She has also contributed to several publications, ... View Full Bio