We’ve been in the application security business for more than 10 years, and we’ve learned a lot in that time about what works, and what doesn’t. This is the sixth and final post in a blog series that takes a look at some of the most common mistakes we see that lead to failed AppSec initiatives. Use our experience to make sure you avoid these mistakes and set yourself up for application security success.
Why AppSec Expertise and Experience Matters
Defining and growing an application security program for your organization can be a daunting task, and it requires people with a deep understanding of software security. In addition, when your program is up and running, finding vulnerabilities in your code is only the first step. The second is remediation, which requires knowledge, experience, and specialized developers. What happens if you get stuck and don’t know the right way to remediate?
Whether you are figuring out where to start or trying to scale an established application security program, getting help from people with experience can improve the effectiveness and maturity of your program.
What happens to your application security program without enough or the right staff? The negative impacts include:
- Delayed software releases because security issues are not getting fixed in time
- Ever increasing technical debt because found flaws are not fixed
- Developers are frustrated, creating friction with the security team
- AppSec issues become marginalized due to perceived inability to do anything about it
- Increasing information security risk exposure
Yet organizations struggle to find the right people who fit that bill. Veracode recently sponsored the DevSecOps Global Skills Survey from DevOps.com and found that nearly one in three technology professionals said the IT workforce is unprepared to securely deliver software at DevOps speeds, and just over half said they believe it is only somewhat prepared.
The survey also revealed that less than one in four developers or other IT pros were required to take a single college course on security. Meantime, once developers get on the job, employers aren't advancing their security training options, either. Approximately 68 percent of developers and IT pros say their organizations don't provide them adequate training in application security.
Finally, the 2018 Cyberthreat Defense Report found that a rising shortage of skilled personnel is the number one inhibitor organizations face when trying to establish a security program.
Evidence of the Expertise Edge
Considering the skills shortage, engaging outside AppSec expertise goes a long way, both to establish your program’s goals and roadmap and keep it on track, and to guide you through fixing the flaws you find. We aren’t suggesting you replace your security team with consultants, but rather that you complement it with specialized AppSec expertise.
We’ve seen the difference this support makes: Veracode customers who work with our security program managers grow their application coverage by 25 percent each year, decrease their time to deployment, and demonstrate better vulnerability detection and remediation metrics.
In fact, data collected for our State of Software Security report found that developers who get coaching from security experts fix 88 percent more flaws.
Learn From Others’ Mistakes
Don’t repeat the mistakes of the past; learn from other organizations and avoid the most common AppSec pitfalls. Today’s tip: Extend your security team with outside AppSec expertise. Get details on all six of the most popular mistakes in our eBook, AppSec: What Not to Do.