It is not uncommon for organizations to have “appsec programs” and not actually affect the security of their applications. What good is it if the applications coming out of that program aren’t any better than when they went in?
You have two competing objectives in your organizations
These competing objectives get stuck in a cycle: Developers write more code – accidently introduce flaws and vulnerabilities into the applications – security scans the final application – and delivers a bunch of findings back to developers – which developers have to prioritize in their backlog. However, Developers cannot slow down, so they keep writing new code, while trying to fix some of the old problems. They end up fixing them at about the same rate that new ones are being introduced.
This cycle continues, and while your company is doing appsec, you are not actually producing applications that are more secure.
This is because developers build software in three primary phases: writing code, combining the team’s code together and looking at how everything integrates, and then a final application is pushed to production. However, in today’s programs, most appsec testing only happens at the final stage, which is right before an application is ready for production. Testing at this stage is extremely important in order to ensure full security coverage of the application, but it is also is the place where fixing new issues will slow down development cycles the most – this is where the dreaded “unplanned/unscheduled” work crops up.
Run Security Tests Throughout the Software Development Lifecycle
Remember back in school when you had to write papers and essays? It is very likely that you would write your paper and then submit it to your professor. You could rely on your own ability to check your paper for spelling and grammar issues. However, it is unlikely you would be able to go beyond simple problems and into things like context, flow, and accuracy. Not only that, it is plausible that, despite your best efforts, that paper would still be rife with grammar, spelling, and formatting errors as well. After all, we are all only human.
Luckily you would have been able to use tools that check for spelling, grammar, and sentence structure while you were writing – thereby reducing reviews to context, accuracy, and flow – and saving you time on the revision process so you could move on to other assignments. Of course, your professor still needs to review the work and assign a grade to the final paper. There are things your spelling and grammar checker will not find – like accuracy of knowledge, flow of the entire paper, and context of the assignment. So while you use these tools to ensure that you have less work to do later on, you still need both the assistance while you are writing as well as reviews from your peers, and the final grade from the professor. AppSec is no different…
Instant Feedback and Contextual Education is Key
When we put this example in the context of application development, you can take a guess as to what this does to your development team’s velocity – and therefore your organization’s ability to innovate. There was a time when developers would send their code to a QA team, and would receive a laundry list of bug fixes in return. They soon realized that if they could take ownership of some of this testing while they were writing their code, they could drastically reduce the number of bugs and issues they would receive down the road. This would drop total security findings and maintain the velocity of their teams.
The same exists in the security world – developers want to know, in the moment, while they are working what is the security quality of the code they are working on, so they can fix things while they work. However, they also need guidance as they go, and need a tool that tells them not only what issues exist, but also how to fix them in the moment.
By doing this – over time – you can drastically reduce the amount of unplanned/unscheduled work that your developers have to handle: something they will really appreciate. So how can we do this?
Greenlight Provides Continuous Flaw Feedback and Secure Coding Education
We know that developers care about the quality of their code, and that they cannot sacrifice velocity for security. Yet the success of an application security program rests squarely on their shoulders, because at the end of the day, we are talking about applications that contain code that developers write. This was the impetus for Veracode Greenlight, which empowers developers to deliver applications faster by writing secure code within their chosen IDEs. It allows them to answer the question, “is my code good?”
Greenlight offers continuous feedback from its scans, most of which complete within seconds, giving developers feedback when and where they want it most: on the lines of code they are currently writing. Additionally, it helps security and development leaders continuously educate their development teams on secure coding by serving up remediation guidance on what the flaw is, how it can be exploited, how to fix it, and, depending on the flaw type, will even provide sample code that shows them how to fix it.
Reduce the Number of Flaws to Maintain Secure Application Delivery
Overall, we are working to reduce the number of flaws entering downstream activities, maintain development velocity for the good of your organization, and improve the adoption of your appsec program by offering developers the tools that work where, when, and how they expect them to. If you can get security and development teams on board with finding and fixing things up front, it drastically reduces the amount of work they have to do later – making appsec a help, not a hindrance.
For additional context, and to learn more about the impact Veracode Greenlight has had on our customer’s appsec programs, watch Secure Development and Scalable Application Security with Veracode.