How to empower your DevSecOps heroes

public://pictures/chris-eng.jpg
Chris Eng, Vice President of Research, Veracode

Applications are still the primary target for malicious actors attempting to breach enterprise networks. Yet 85% of all applications contain at least one vulnerability following the first scan, and more than 13% of applications contain at least one very-high-severity vulnerability, according to new research.

It’s not hard to see why. Organizations are racing against the clock to deploy new features in their applications. With development teams facing increasing pressure to keep pace with accelerated development timelines, maintaining application security seems like something only a superhuman effort could accomplish.

An emerging class of companies has formed teams meant to rise to the challenge of building security into the software development lifecycle (SDLC). In the 2018 State of Software Security report, Veracode has uncovered significant evidence that companies using DevSecOps practices are achieving incredible feats, including fixing vulnerabilities discovered in their code 11.5 times faster than other companies did.

Here's what you can learn from companies leading the charge on DevSecOps, as well as pitfalls to be aware of.

Application Security Research Update: The State of App Sec in 2018

Get continuous or go home

As the DevOps movement has unfolded, security-minded organizations have recognized that embedding security design and testing directly into the continuous software delivery cycle is the only way to keep up. This is the foundation of DevSecOps principles, which offer a balance of speed, flexibility, and risk management for organizations that adopt them. The difficulty is that, until now, it has been tough to find concrete evidence of DevSecOps’ security benefits.

When organizations embrace DevSecOps, they embed security checks into those ongoing builds, folding in continuous improvement of the application’s security posture alongside feature improvement. Keeping this in mind, it’s only natural that a DevSecOps organization will scan its code much more frequently than a traditional waterfall or agile development organization.

Whatever the cadence of scanning, the State of Software Security report data shows that there is a very strong correlation between how frequently an organization scans and how quickly it addresses its vulnerabilities. Whether an organization officially labels its development practices as DevOps, agile, DevSecOps, or something else entirely, the data shows that the teams scanning more often make incremental improvements every time they test.

For example, when apps are tested fewer than three times a year, flaws persist more than 3.5 times longer than an organization testing seven to 12 times annually.

Organizations really start to take a bite out of risk when they increase frequency beyond that; each step up in scan rate results in a shorter time to fix.

Beware the speed bumps

As more organizations move to DevSecOps and reap the automation and speed benefits, app sec processes need to keep pace with continuous software delivery. This becomes challenging because developers need to manage many separate tools; new app sec tools that do not integrate well or lack flexible APIs and integrations are met with low adoption, high distraction, and a steep learning curve.

Development teams often see security teams as bottlenecks that slow down each new release. Meanwhile, security teams resent the extra (and unplanned) work responding to vulnerabilities created by developers who cut corners on secure coding in order to meet deadlines.

Especially for new DevSecOps programs, establishing open communication and collaboration across teams can reduce the effort spent to meet organizational goals. This process may even reveal developers with a particular aptitude or interest in security who, with proper training, can act as security champions on their teams. These champions need not be security experts, but can act as a liaison to the security team, ensuring that their fellow developers are coding with security in mind as the application comes together.

[ Webinar: Get Started with Seamless App Sec in a Single Day (Jan. 23) ]

Empower developers to be your DevSecOps heroes

Application security is effective at reducing risk only if flaws are fixed once they’re identified. Across industries, more than 70% of all flaws remained one month after discovery, and nearly 55% remained three months after discovery, according to the new report. This confirms what development and mature security teams know well: It takes time to fix security flaws.

Contrary to what some security staffers might believe, developers simply can’t wave a magic wand over the portfolio to fix their accumulated security debt in an instant, or even in a week. On top of that, there are other factors at play, including quality assessment, product release cycles, and other exigencies of delivering software to the real world.

Still, there are promising signs that show potential prioritization and software development methods that could help organizations reduce risk more quickly. With the incremental changes that embed security design and testing directly into the continuous SDLC, every developer has the chance to be a hero.