Janet Worthington, Senior Product Manager, Veracode, explains why security and DevOps must collaborate to build a more secure future.
Collaboration has been the key to successful IT development for over 10 years. The proliferation of open source software code, for example, has enabled the speedy development of millions of applications, fostering a culture of innovation and positive change to the market.
However, while open source software has enabled the quick development of apps, it has also arguably been the birthplace of many security vulnerabilities in long supply chains – which is why it is critical that all apps are built with security in mind from the outset.
In a utopian world, this would be an easy step to take. However, that is not the world we live in today, and the relationship between developers and the security team hasn’t always been a strong one. Traditionally, the IT security team have been typecast as the ones slowing the development process, finding gaps in the design and sending developers back to the proverbial drawing board.
Yet, even with both the security and development teams agreed on the importance of delivering a high quality application, security procedures are still too often considered late in the development cycle. And if the process of providing continuously secure software wasn’t difficult enough, this certainly doesn’t make it any easier.
Great expectations of speed
Developers are expected to produce high quality code, continuously and at speed. After all, delays cost market share and allow rivals to take the lead. However, this can have a detrimental effect on the quality of code developed, with recent research suggesting most developers (85%) believe vulnerability remediation harms their potential to produce features and products on time and on budget.
The poll also found that 70% of software and application developers often feel pressure to release updates that could override security concerns – again potentially putting companies, and their customers at risk.
The economic cost of insecure DevOps
Veracode’s research into application development revealed a startling 63% of internally developed applications are non-compliant with OWASP Top 10 standards (the widely accepted standard for application security), when initially assessed for security.
And while these may seem like micro issues, when considered as part of the wider economic picture, there are serious fiscal consequences to overlooking security. Indeed, research from Veracode and the Centre for Economics and Business Research (CEBR) revealed that cyberattacks cost UK companies £34 billion a year in lost revenue and subsequent increased IT spending every year.
How security and DevOps can work together
It is widely accepted from most DevOps teams that having the ability to detect and amend security issues at an early stage of the software development lifecycle (SDLC) would streamline the process. However, turning this sentiment into a tangible reality is a significant challenge for many organisations.
A recent report into the state of DevOps found the best performing development teams spend half the time correcting security issues when they take security head on all the way through the SLDC. Indeed, it is when security is left to the final hurdle that long delays and wider issues typically emerge.
The benefits of automation
In the age of the cyberbreach, in which two thirds of large UK businesses were hit by cyber breach or attack in past year, there must be further consideration paid to cybersecurity at the app development stage – and automation should play a key role.
Today, advanced technology enables development teams to deliver secure code at DevOps speed, by – for example – automating security into the SLDC and into a continuous integration (CI) or continuous deployment (CD) pipeline.
Avoiding analogue coding in the digital age
By enabling developers to scan full applications or individual components as they write them, they can make improvements before sending the software for a formal policy or security review. This helps eliminate the ‘scan and scold’ dynamic that’s existed in the past, where even scans of early versions of code directly shared results with security and risk teams.
This can create the perception of software risk or compliance failures for the business well before the application is launched or the developer had a chance to make changes – often putting a halt on the potential for innovation and growth, and sustaining what has become an analogue approach in today’s digital age.
However, with the seamless integration of security into the development process, development teams are safer in the knowledge that testing is occurring throughout the entire process – ensuring that software is secure from its origin to when it goes to market. After all, the safeguarding of data is key to any positive user experience, and stronger collaboration between development and security will only enhance this prospect.
Edited for web by Cecilia Rehn.