Managing the competing demands of development velocity and application security
November 2, 2020
Reject silver bullets. Teams should leverage multiple types of security testing tools across the software development lifecycle (SDLC) to address different forms of risk in both proprietary and open source code.
Integrate and automate. Software development is increasingly automated, and application security testing needs to be as well.
Train the team. Without sufficient software security training, developers struggle to address the address the findings of application security tests. An effective way to remedy this is to provide “just in time” security training delivered through the IDE.
Keep score. If what gets measured gets done, then it’s important to measure the progress of both your AppSec testing and security training programs. This includes tracking the introduction and mitigation of security bugs as well as improvements to both of these metrics over time.