It is six times as expensive to fix an app vulnerability in production than to fix one in development, according to a recent Veracode webinar. This shouldn't come as a surprise: developers test for functional and performance bugs early in the in the Software Development Life Cycle (SDLC). So it makes sense that people producing code are doing security testing early, they're testing often — and they're using every assessment tool available.
Mobile and web apps are dominating the Internet: According to Tech2.com, for example, mobile users in 2014 spent 86 percent of their time using apps, and just 14 percent surfing the mobile web. And with those users growing savvier, app security in the SDLC is more critical than ever. In an article entitled "Top Tips for New App Developers," Gigaom argues for a combination of hardware and software testing, suggesting that developers resist pressure to "just get it out there" and release apps before they're ready.
Consider Google's advice when it comes to developing Android apps: "You should be writing and running tests as part of your Android application development cycle." The company's best practices for app development go on to note that well-written tests can help catch bugs early on, which makes correcting them easier and gives developers more confidence in their code. But in-development testing is just one part of the new SDLC equation — it's also critical that devs approach app security from more than one point of view.
One big benefit of Agile development? There's no fixed end point. From design and building to rollout and subsequent evaluation, it's always possible to add more features or improve application performance. Even when software has reached the end of its life cycle, lessons learned and code developed help inform the next generation of apps. It's tempting, therefore, to view Agile processes as existing outside of time — since apps are never really "finished," you can just inject a security sprint wherever it makes the most sense.
The problem with that temptation? As I said in the beginning, post-production security bug fixing is more difficult and it also slows the development of new app iterations to a crawl. The solution is twofold: part cloud, part diversity. Think of the cloud as an Agile resource-delivery system which provides the same kind of speed and mobility as Agile development. By leveraging a cloud-based security platform, it's possible to integrate testing at every stage of app design and refinement. Diversity across multiple testing technologies is also essential because different security testing methodologies can uncover different security flaws.
Want to improve the SDLC? Test early, test often, and test with everything in your arsenal.
Photo Source: Wikimedia Commons