Secure Development Without Sacrificing Innovation and Speed

If you know the term “nightly build,” chances are you’ve been a part of that process before. A nightly build - or code compiled overnight from previously checked code - is a foundational way to find flaws or issues that arise from changes made during long build processes. But while a staple in DevOps, nightly builds also present a problem: if new bugs are discovered the following morning after the build, everything slows down. Additionally, such activity only heightens the wall between development and security by compartmentalizing the tasks developers and security professionals must undertake every day (or night).

The history of the divide between security and development doesn’t fall solely on nightly builds, of course. It comes from a place of misconception, where developers fear that security leaders are ready to stall production at every turn, and security leaders lack the knowledge to fully understand the lingo, processes, or goals of developers. Historically, both teams have worked away in their own siloed departments with little to no direction from leadership on ways to come together.

Unifying security and development

By bridging the lines of communication, both teams can start to have serious conversations about producing more secure code without sacrificing the speed needed to meet tight deadlines. At the core of the issue is education. Both development and security teams need to find a common ground for working together and take it a step further to understand exactly how the other side of the aisle works – and how they can plug in their own processes to make that work more effective.

On the developer side of the aisle, that comes down to appreciating the value of security and sharpening the skills they need to write code with fewer flaws and bugs. On the security side, it means understanding developer timelines, tools, and processes, then working with leadership to figure out how to integrate security tools into their existing methods for time-saving automation and valuable coding feedback.

According to a recent report by Securosis, this should be a top-down effort involving members from all the necessary teams. “With DevOps you need to close the loop on issues within infrastructure, security testing as well as code. And Dev and Ops offer different possible solutions to most vulnerabilities, so the people managing security need to include operations teams as well.”

Once members of these teams come together with open dialogue about current issues and business goals, they’re on the right path to begin discussing which processes and tools will improve the health of their application security without impacting deployment speed.

Know where to start when fixing flaws

Security debt is a real problem that adds up over time and should be addressed with a plan of action to bring it down and reduce risk. But not every vulnerability is mission-critical, whether it sits in a pile of security debt or it was discovered in a batch of new flaws during a recent scan.

According to the Securosis report, deciding which vulnerabilities to tackle first is a common issue for development teams. “During our research many security pros told us that all vulnerabilities started looking like high priorities, and it was incredibly difficult to differentiate a vulnerability with impact on the organization from one which did not,” the report says.

Prioritization can speed up the entire development process as little time is wasted going back and forth. While helping to set priorities for developers, security leaders have an opportunity to help developers understand which flaws need to be addressed immediately during development, and which possible threats tie back to unattended vulnerabilities so that developers have a better understanding of how to prioritize flaws in the future.

Automation through integration

Automation brings rapidity and, if used long enough, consistency. With modern software development speeding up and not slowing down, it’s more important than ever that developers have the right scanning tools to plug directly into their existing processes with seamless integration. And while automated feedback and security testing alone won’t catch every flaw, error, or vulnerability, it sets a precedent for incorporating security into the development process, and a baseline for healthy code as the team moves through development.

Complete application security plans incorporate scanning and testing into every stage of the development process, from the IDE to the Pipeline and even review, staging, and production. Veracode Static Analysis has this covered, with automated security feedback in the IDE and Pipeline that alerts (and trains) developers while they work. Veracode Static Analysis conducts a full policy scan before deployment too, showing the vulnerabilities that developers should focus on, and leaving an audit trail for review.

With a tool like Veracode Static Analysis integrated into existing systems and processes, security and development teams will gain clear insight into not only which flaws to prioritize, but also areas where developers need more training and education so that they can produce more secure code in the future. This automated (and peer) feedback helps set a standard for consistency, and improves speed overall – those nightly builds can then turn into builds with continuous integration that facilitates faster fix rates.

eLearning tools for continuous education

Continuous education is something that both security and development should embrace if they want to help close the information and communication gaps between the two teams. Security leaders for their part should brush up on developer lingo, tools, and languages – especially when a new language is introduced into the development process.

For developers, boosting skills through hands-on courses, virtual workshops, and instructor-led training increases the speed at which developers work and the security of their applications. By bringing continuous education into the mix so that secure code is front of mind, security and development teams will have an easier time shifting security left with each new project. Eventually, it’ll become a regular part of the process to learn from past mistakes, grow to become more innovative and adapt to new security threats.

Tools like Veracode Security Labs take training to the next level by providing developers with real-world examples of threats that they can exploit and patch for practice. This hands-on-keyboard training is unlike cookie-cutter courses, as it is interactive and focuses on real applications with real vulnerabilities.

Security Labs helps meet training and compliance needs, too, with customized education in the languages an organization’s developers use most. That tailored experience becomes invaluable when every hour of the day is dedicated to improving the security of your applications. Developers start learning right away and plug back in when they’re ready for more; it’s a small step that has a big impact.

For more information on speeding up the development process through integration, automation, and feedback, read our eBook on how you can secure your software development pipeline with Veracode Static Analysis.