Shifting security “left” is about more than simply changing the timing of testing. When security shifts to earlier phases of the development lifecycle, it also changes the players responsible for conducting the testing and addressing the results. In the not-so-distant past, the security team would conduct most security testing late in the software development process, pass the results back “over the wall” to developers, and consider their work done. But with the rise of DevOps, and DevSecOps, finding and fixing security-related defects is a shared responsibility between security and development. In addition, security testing has shifted further left, into the realm of the developer. The development team now has a primary responsibility for security in the development phase, and are responsible for making sure their code gets both scanned and fixed. The security team has more of an oversight role in the development phase, focusing on goals and policy. This is a significant change that requires entirely new tasks, skills, priorities, and mindset. But there is one big blocker to this change: the fact that most developers don’t have secure coding skills. Veracode recently sponsored the 2017 DevSecOps Global Skills Survey from DevOps.com and found that less than one in four developers or other IT pros were required to take a single college course on security. Meanwhile, once developers get on the job, employers aren’t advancing their security training options, either. Approximately 68 percent of developers and IT pros say their organizations don’t provide them adequate training in application security. The bottom line is that most developers won’t know what to do with a long list of security flaws.
It follows that if you shift security left, into developer workflows, without adequate training and guidance – you will not create more secure code, but will in fact delay developer timelines and still produce vulnerable code. Shift left only works when developers get the tools and assistance they need to succeed. And a key part of that is remediation guidance. This adds another new task to the security team’s plate: developer training and coaching.
In their recent report, CISO Playbook: Embedding AST in the Software Development Lifecycle, Gartner notes that “organizations can better support AST early in development by prioritizing AST tools and services that integrate into IDEs and produce actionable findings, with an emphasis on the type and quality of information provided to developers. Tools that are fast but contain little guidance on remediation may not achieve the time savings desired, if developers struggle to understand why a vulnerability was introduced and how to fix it.”*
Ultimately, the speed at which you receive security-testing results is meaningless without the guidance needed to address those results.
We have research that supports this idea as well. Each year for our State of Software Security report, we analyze the data accumulated from all the security assessments we have performed the previous year. In our most recent report, we found that organizations that pick up consulting services that offer analysis and advice to developers alongside the scan results show tremendous improvement in fix rates. We looked at the flaws per MB among the organizations that took advantage of remediation coaching, and those that didn’t – both on their first and last scans of the year. The numbers revealed that remediation consulting can contribute to a whopping 88 percent improvement in an organization’s fix rate. Clearly, if developers are given extra resources to accomplish their security goals, they will make progress on the flaw density in their software.
The bottom line is that application security success is about more than finding security flaws; it’s about fixing them. And in a DevOps world, security and development have to work together to ensure that what gets found gets fixed. Make sure your developers are equipped to fix what they find and truly reduce your application security risk.
To get more best practices on embedding security into the development lifecycle, read the entire Gartner report, CISO Playbook: Embedding AST in the Software Development Lifecycle, mentioned above.
*Gartner CISO Playbook: Embedding AST in the Software Development Lifecycle, Ayal Tirosh, Prateek Bhajanka, 13 July 2018