Unplanned work is the enemy of productivity – in all aspects of life. Any activity that pops up unexpectedly and eats up your time and resources is a productivity killer. You’ve probably experienced this at home – you drop your son at baseball practice, drive home, and then get a call that he left his glove at home and needs you to bring it to him. Or you’ve experienced it at work – an email is sent out to all customers accidentally, and you have to spend hours doing damage control. In the end, you can’t eliminate all unplanned work – life will always be full of surprises – but reducing the number of unplanned tasks will make you more effective. How do you do this? At home, you can post a baseball-practice checklist for your son next to the door. At work, you can build in quality checks and other controls to prevent mistakes that will create unplanned work. In the world of software development, a robust and effective application security program is one of those controls that can prevent unplanned work.
Software development is about delivering software on time, and it’s about planned activity toward that delivery. But it is also about delivering quality, secure software. And that means that anytime you find a security issue that you need to resolve, it’s an instance of unplanned work. This unplanned work is going to cost time and money, and reduce your capacity to do planned work. In contrast, reducing the amount of unplanned work will boost your capacity for planned work. The bottom line here is that if you reduce the number of security-related defects introduced into your software, your software development will become more effective. Furthermore, if you can tackle your unplanned work in a more efficient way – in this case, remediating software-related defects – you reap even greater productivity benefits.
In the end, implementing an effective application security program will save you money and increase business agility. It will increase the capacity for your business to deliver software that has value. But the key word there is “effective” – application security done right will produce these benefits, application security done wrong will slow your process down and end up costing you money. This involves expanding your application focus beyond finding and fixing – it’s prevention that is going to make the biggest difference to your bottom line.
If you think about application security through the lens of unplanned work, you want it to both reduce the number of “surprise” tasks, plus make those tasks easier to handle. With that in mind, you want to make sure your application security program includes:
Developer education: The flaw that’s easiest to fix is that one that’s never introduced. Most developers have had no training, either in school or on the job, on secure coding. So if your application security plan only involves scanning your code, your developers won’t know how to address the scan results, and won’t know how to avoid the same mistakes in the future. Address this problem with training on secure coding for your development teams, some kind of remediation coaching, and the creation of security champions on development teams who can help keep security issues top of mind, and help addressing security problems when they arise.
To put some numbers behind this idea – we’ve found that development teams that take advantage of secure coding eLearning improve their fix rates by 20 percent. Those that use remediation coaching see fix rates improve by as high as 88 percent.
Integration and automation: This falls under the “make the unplanned work less painful” category. Application security that is automated and integrated into the tools development and security teams are already using makes it easier to find and address security-related defects. If you have to stop what you’re doing and switch tools to conduct a security test – you’re adding to, rather than easing, your unplanned work. Also, with security testing integrated into early development phases, you’re addressing security defects much more quickly and inexpensively than if you wait until later in development phases.
Application security can reduce unplanned work and boost your bottom line, but only if you ensure that you implement a program that goes beyond identifying security-related defects to focus on both ease of identification and remediation and on prevention.
Get more details on the ROI of application security in our eBook, Making Application Security Pay.