With 2016 coming to an end, we, like many companies, are reflecting on the trends of the past year. We are also looking outward to what the future holds for application security, and it has never been clearer that the future of application security will be tied to DevOps and integrating security into DevOps environments. As such, it is crucial that security becomes part of the entire software lifecycle, including early in the development process.
Only by seamlessly integrating security into the development processes will we ensure secure code becomes synonymous with quality code.
Developers are the ones producing code, integrating components and creating the innovations that fuel our digital economy. However, they are also the ones who will determine whether or not security is part of development. Our dependence on software for everything from business systems, managing critical infrastructure and producing new products means developers have to contend with competing priorities. On the one hand, they must keep up with the rapid pace of innovation. On the other, new development paradigms like DevOps or CI/CD are telling developers they are responsible for producing secure code. Yet, according to a recent survey on secure development conducted by Veracode, 52 percent of developers feel as though application security testing can delay development and threatens deadlines. That is, of course, if application security isn’t done in a way that is developer-focused. Only by seamlessly integrating security into the development processes will we ensure secure code becomes synonymous with quality code.
Here are some of the ways Veracode is seizing the opportunity presented by the shift to CI/CD environments to integrate security into the development workflow.
The best way to encourage developers to test for security defects is to allow them to do so right in the IDEs they are currently using, and then track these defects in the same bug tracking tools and code repositories they are already using. Veracode has free plugins for the tools developers are already using.
A core concept of DevOps is the idea of preventing defects of all kinds in code (functionality, performance, stability and security to name a few), not just finding and fixing them. Veracode recognizes the importance of helping developers learn to write secure code. Our AppSec Tutorials help developers quickly remediate security defects found during static or dynamic tests. Veracode is the only application security company that offers remediation tutorials as part of the overall developer training program. AppSec Tutorials are available as part of the Veracode Application Security Platform. When a security defect is found during a security scan, the platform provides a link directly to the AppSec Tutorial session that instructs developers on how to fix that specific vulnerability. These sessions offer developers the critical skills needed to identify and address vulnerabilities, and avoid introducing security defects into future code. In fact, development organizations that leverage Veracode eLearning see a 30% higher vulnerability fix rate.
Developer Sandbox, a patented technology of Veracode’s proprietary binary analysis offered through our cloud-based platform, was developed to solve this problem of embedding security into the development process. Developer Sandbox is a way for individual developers or development teams to assess new code against the required security policy – without affecting compliance reporting for the version of the application currently in production.
And we will release additional innovations in the near future that help security teams and software developers protect applications and shorten time to deployment. Stay tuned for Veracode Greenlight.
And we won’t stop there. The future of AppSec is developer-led, and Veracode will continue to be a driving force behind enabling movements like DevOps with application security solutions and programs.