In the maddening race to deliver more products, faster, and at a higher quality than ever before, the stakes grow as technical debt soars. Many developers shorten or skip the quality assurance process to meet unreasonable demands, which leads to tension between security teams, product teams and the business. Here's a look at three ways to keep your quality assurance process thorough without slowing your delivery down.
Developers should start the conversation with security advisors at the beginning of their scrums. Nobody should be ambushed by an app or feature that appears in their inbox for review with a deadline even more daunting than the ones developers face to keep up with competitors and hardware. It's important that developers build bridges to their security team and recognize that security personnel only understand their needs and processes when they share this information with them. Including security experts in the early stages of development can help teams get it right the first time, which can save a lot of time and prevent disasters later.
2. Own it
Security is a chief concern for everyone who works on a product. From the first developer to the final salesperson, an unsafe app can be disastrous for the reputations of both individuals and the enterprise. If you're building something, members of your team should own security in every huddle and move forward with safe development and frequent testing in mind.
Beyond owning a product, own the relationships you create with the appsec team. They're a key component of the quality assurance team; they can look at a product you deem complete and tell you it isn't just as accurately as a product manager can. Thankfully, there are lots of tools out there to help developers automate the security testing process throughout the software development lifecycle.
Application security software makes the testing process easier and faster than ever before. There are no excuses for releasing untested products when security software is thorough and the human element can be easily integrated into the development process. Remember — the testing process flags security flaws, which developers need to flag as bugs. It's tempting to dismiss the results of a robotic test as overly specific and the human testing as a frustrating inconvenience, but the reality is that security flaws are at least as problematic as usability bugs.
As developers strive for more streamlined development and delivery processes, integrating security will speed things up rather than slow them down. You don't build an entire product before shipping it to the design team, and security should be prioritized the same way.
These steps sound easy, but it's easier to finish a blog post with "three weird tricks for safer software," close the tab, and never think about it again. Instead of dismissing the apparent ease of improving your quality assurance process as too good to be true, check out Veracode's brief webinar that breaks down specific tools that play into each of these three steps. Your software will be safer, and your development and quality assurance processes will both be smoother. Security teams are critical stakeholders in software development. Don't treat them like an afterthought — it costs valuable time and leaves your product vulnerable to catastrophic attacks.
Photo Source: Flickr