Skip to main content
February 11, 2016

Why Ignoring Development and Security Teams Undermines Application Security

In an era of increasingly sophisticated data hacks and attacks, there's a critical need to move beyond protecting your business’s perimeter. To thoroughly safeguard your organization, your enterprise must adopt an approach that addresses systems and software throughout their lifecycles.

A key piece of this strategic approach? Application security. According to CIO magazine, a typical $500 million-plus enterprise has developed more than 3,079 applications. These internal applications represent about 40 percent of a company’s overall application portfolio. Adding to the challenge: Internally developed application portfolios are growing at a robust 12 percent annual clip, IDG Research reports.

In order to successfully protect your company’s applications, your organization must engage your development teams and security teams early in the equation so they're in lock-step with one another — as well as with the rest of the organization. Anything less is a recipe for failure.

Organizations that ignore their development and security teams often fall short when it comes to application security. Internal and commercial developers, security teams, external security consultants, quality assurance specialists and security-as-a-service providers often have different and competing priorities. There’s also a general lack of insight among the teams about what applications the enterprise uses and how to close security gaps.

Among the undesirable results:

  • Code and software that are more prone to vulnerabilities and security gaps
  • API libraries, middleware and clouds that have unnecessary vulnerabilities
  • Miscommunication that leads to uneven results and coding risk
  • The lack of a workable governance framework, which typically results in inconsistent and sloppy coding practices

The outcome of these results is that many threats fly below the radar. In turn, this can unleash a number of dire consequences:

  • Loss of valued data and intellectual property
  • Government fines and sanctions
  • Inefficient internal workflows and processes
  • Bad press and a tarnished brand image
  • An impact on sales, revenue and your enterprise’s bottom line

A best-practice organization, on the other hand, builds an enterprise framework that specifically addresses the needs of development and security teams. With these two groups tied into the overall application security framework, it's possible to dramatically reduce risk through the use of:

  • A governance framework. It's essential to have the unwavering support of senior executives and other key teams to ensure that policies and procedures match the needs of developers — and the organization as a whole. Developers must have a seat at the table and provide both practical and technical input to build this strategic foundation. Conversely, they must fully understand the business needs of the organization.
  • A technical framework. An enterprise must have centralized policy management with clearly defined practices and procedures that apply to all the different development groups. This includes factors such as what open-source coding tools and libraries teams can use, whether they can include specialized functionality, such as Java and Flash, how APIs, clouds and middleware are used to connect applications, and how internal and third-party software interacts with different operating systems, web browsers, databases and more.
  • A technology framework. A platform that manages enforcement is critical. An enterprise must also adopt robust communication and collaboration tools, particularly as teams migrate to DevOps and other Agile methods, so teams can easily share expertise and best practices.

Ultimately, organizations that get serious and address the needs of these key groups — and ensure that developers are in the loop — are far better equipped to tackle the business and security challenges in today's complex business environment.

Suzanne is part of the content team at Veracode, working to create resources that shed light on AppSec problems and solutions. 

Love to learn about Application Security?

Get all the latest news, tips and articles delivered right to your inbox.