Nearly half of the respondents to the Modern Application Development Security Survey, conducted by Enterprise Strategy Group (ESG), state their organizations regularly push vulnerable code to production. Not surprisingly, for over half of those teams, tight delivery schedules and critical deadlines are the main contributing factor.
In the presence of a deadline, what can be measured is what gets done, and what can’t be (or at least isn’t) measured often doesn’t get done. Everybody knows when a deadline is missed, especially when your release cycles are measured in weeks, days, or even hours. But the security of an application isn’t so easily observed or quantified—at least not until there’s a security breach.
The problem is, when it comes to application security, the “we don’t have time to do it” excuse doesn’t really cut it. This is demonstrated by the 60% of respondents to the ESG survey who reported that their applications have suffered OWASP Top 10 exploits during the past year.
It doesn’t have to be this way. Other findings in the survey report point to opportunities that teams have, both to maintain development velocity and improve application security.
Here are just a few:
- Reject silver bullets. Teams should leverage multiple types of security testing tools across the software development lifecycle (SDLC) to address different forms of risk in both proprietary and open source code.
- Integrate and automate. Software development is increasingly automated, and application security testing needs to be as well.
- Train the team. Without sufficient software security training, developers struggle to address the address the findings of application security tests. An effective way to remedy this is to provide “just in time” security training delivered through the IDE.
- Keep score. If what gets measured gets done, then it’s important to measure the progress of both your AppSec testing and security training programs. This includes tracking the introduction and mitigation of security bugs as well as improvements to both of these metrics over time.
There are a number of other interesting findings and recommendations in the survey report. They can help your team manage the competing pressures of release schedules and application security. You can download it here.
You can also learn more in our recent webinar, where I interviewed the survey report’s author, Dave Gruber, Senior Analyst at ESG.
Patrick Carey, Senior Director of Market Analysis and Strategy, Synopsys
Synopsys Software Integrity Group helps development teams build secure, high-quality software, minimizing risks while maximizing speed and productivity. Synopsys, a recognized leader in application security, provides static analysis, software composition analysis, and dynamic analysis solutions that enable teams to quickly find and fix vulnerabilities and defects in proprietary code, open source components, and application behavior. With a combination of industry-leading tools, services, and expertise, only Synopsys helps organizations optimize security and quality in DevSecOps and throughout the software development life cycle. Learn more.