AppSec Bites Part 1: Balancing Speed and Thorough AppSec Coverage

A joint blog post from Veracode and ThreadFix

In today’s world, speed wins. Just take Amazon for example. You can place an order with the click of a button and have it delivered to your door in under twenty-four hours. Retailers that can’t compete with Amazon’s speed are falling behind. The same level of speed and efficiency is expected with technology. Companies are in a race to deliver new and innovative technology first. But aside from speed, companies are also concerned about the security of their software. It does you no good to release new software first only to have it compromised.

So therein lies the dilemma … How do you release software fast while still implementing a comprehensive application security (AppSec) program? One of the most widely recognized solutions is moving security practices left. What that means is that instead of implementing AppSec scans right before production, which can be time-consuming, many organizations are starting their scans during the development phase.

But not every scan type can be conducted early in the software development lifecycle. Scans like penetration tests or dynamic analysis are best performed in runtime. Does that mean you should neglect dynamic analysis or penetration tests? In part 1 of the AppSec Bites podcast series, Tim Jarrett, Director of Product Management at Veracode, argues ‘no.’ Dynamic analysis and penetration tests find flaws that earlier scans – like static analysis – can’t find. So, it’s worth taking a little extra time to run those scans.

What are some ways you can save time on AppSec scans? If you have scans that can be effectively implemented early, implement them early. If you don’t currently automate your AppSec scans, automate them. And lastly, consider leveraging Veracode’s sandbox capabilities for developers. As Kyle Pippin, Director of Product Management at ThreadFix states, “The sandbox allows developers to get hands-on with risks before they get promoted to the security team. It enables developers to fix the low-hanging fruit.”

So, the overall takeaway is that speed and security are a balancing act. You need to consider the risks involved with your application, set expectations with the developers on what flaws should be prioritized, and decide on what scan types make sense. Weigh the tradeoff of time and security for each application and follow best practices for speed to market, like shifting security left as much as possible, automating scans, and leveraging developer sandboxes.

For more information on finding the balance between speed and AppSec coverage, check out part 1 of our recent podcast series with ThreadFix.

Tim Jarrett is Senior Director of Product Marketing at Veracode. A Grammy-award winning product professional, he joined Veracode in 2008 and has a Bacon number of 3. He can be found on Twitter as @tojarrett.