Insight into the world of application development shows interesting and promising trends. Agile development's popularity is increasing, and developers are finding real gains as a result. However, as the line between development and operations continues to blur, it can be easy for established security best practices to fall by the wayside. It's up to the application development community to investigate the best ways to overcome this obstacle.
InformationWeek and Dr. Dobb's recently joined forces to create a survey covering the state of application development for 2015. Responses were gathered from over 500 developers from small, midsize and large businesses alike. While the report provides insight into all aspects of the industry, two trends stand out: the shift toward Agile development, and the difficulties of ensuring security within this methodology.
According to the survey, 69 percent of businesses utilize some form of Agile methodology within their development teams. This shift already appears to be paying dividends, as 76 percent of respondents using Agile have seen either slight or major improvements in their development time lines.
While some projects still struggle with Agile — e.g., major, geographically dispersed projects and mature projects — it appears Agile is the new way that software gets developed.
But even as businesses find success in adopting modern development methodologies, the survey highlighted some concerning findings regarding application security: Only 40 percent of respondents bring in their security teams at the project planning phase, 27 percent have no formal AppDev security program and only 10 percent claim their developers have the expertise to handle security themselves. Additionally, only 57 percent of respondents claim it is corporate policy to learn and use secure coding practices, and less than half of those respondents report that the policy is actually enforced.
When these facts are combined with the desire to do more with less, it's easy to see security becoming a major problem in the future. Add in the fact that application-layer vulnerabilities are emerging as a major cybersecurity threat businesses face, and a very dangerous situation can arise.
An Agile development methodology can absolutely include rigid security control, but only if the development or security teams integrate it at the earliest part of the software development lifecycle (SDLC). Since most cost-averse executives are hesitant to hire extra security professionals, consultants and hardware, CISOs and IT managers need to find a way to increase development security without the expense.
Third-party security specialists offer a complete vendor security solution and will have a breadth of experience in the industry that consultants can't match. These organizations understand how to inject secure coding practices at the very beginning of the development lifecycle, and they have the experience to do it without affecting timetables.
The right security vendor will then be able to actively scan code as it is written. This ensures security issues don't get buried deep within the code and make the source code a beast to change later on. Some security vendors, such as CA Veracode, can even perform static application security tests, scanning the source code outside of runtime and catching security issues that standard dynamic scans may miss. This creates a holistic, policy-based approach to security in which apps are as secure as possible before they are moved into production.
Modern security solutions are also often cloud based, which is ideal for large enterprises with thousands of individual development programs to manage. A cloud-based security solution is inherently scalable, meaning that once the program is working for one project, it can be easily expanded to include more, and can quickly encompass an entire development team.
Modern application development is shifting toward a more Agile mind-set, while getting the apps out of the door quickly is paramount. This environment can easily lead to security control being ignored or avoided, making it more important than ever for CISOs to discover a way to inject security into the entire SDLC without causing their development teams unnecessary headaches. In a world where nefarious actors are more active than ever, failing to maintain application security can spell disaster for enterprises.
Photo Source: Flickr