Software is increasingly becoming key to every enterprise’s innovation, competitive advantage, and bottom line. At the same time, it’s also increasingly becoming cyberattackers’ favorite target. Consequently, in the world of software security testing, slow and late are out. “The earlier the better” doesn’t apply in all circumstances, but it is certainly the case when it comes to security testing code. The earlier in the development process you identify security-related defects, the easier, faster, and cheaper they are to fix. According to NIST, fixing vulnerabilities at the coding stage provides a 10x cost savings versus fixing vulnerabilities in the testing stage.
And a couple factors are combining to make this “find and fix early” focus even more critical:
In the end, we need to secure apps, and we need AppSec solutions that work the way developers need to work today.
As part of our continuing efforts to help developers secure their code at DevOps speed, our Static Analysis product now includes a feature called Accelerated Results. This feature gives developers security findings from static analysis earlier in the static scanning process so they can work on making fixes sooner.
Applications in some languages, including .NET languages (over 25 percent of all enterprise applications), consist of multiple code “modules.” Veracode’s Accelerated Results feature provides results to developers as each module finishes scanning, providing developers with faster results turnaround and enabling them to start fixing issues sooner.
Ultimately, AppSec will not be effective going forward unless it aligns with development and supports the move toward more rapid development cycles.
Accelerated Results takes another step toward that alignment by allowing developers to get started fixing vulnerabilities sooner, compressing overall development cycles and leading to higher fix rates earlier in the SDLC.
For more details on securing code at DevOps speed, see 5 Principles for Securing DevOps.