{"id":8170,"date":"2016-08-17T10:46:53","date_gmt":"2016-08-17T10:46:53","guid":{"rendered":"http:\/\/www.devopsonline.co.uk\/?p=8170"},"modified":"2016-08-17T10:46:53","modified_gmt":"2016-08-17T10:46:53","slug":"why-developers-must-be-enabled-to-build-better-code-to-defend-against-cyberattacks","status":"publish","type":"post","link":"https:\/\/devopsnews.online\/why-developers-must-be-enabled-to-build-better-code-to-defend-against-cyberattacks\/","title":{"rendered":"Why developers must be enabled to build better code to defend against cyberattacks"},"content":{"rendered":"
Janet Worthington, Senior Product Manager, Veracode<\/a>, explains why security and DevOps must collaborate to build a more secure future.<\/em><\/p>\n Collaboration has been the key to successful IT development for over 10 years. The proliferation of open source software code, for example, has enabled the speedy development of millions of applications, fostering a culture of innovation and positive change to the market.<\/p>\n However, while open source software has enabled the quick development of apps, it has also arguably been the birthplace of many security vulnerabilities in long supply chains \u2013 which is why it is critical that all apps are built with security in mind from the outset.<\/p>\n In a utopian world, this would be an easy step to take. However, that is not the world we live in today, and the relationship between developers and the security team hasn\u2019t always been a strong one. Traditionally, the IT security team have been typecast as the ones slowing the development process, finding gaps in the design and sending developers back to the proverbial drawing board.<\/p>\n Yet, even with both the security and development teams agreed on the importance of delivering a high quality application, security procedures are still too often considered late in the development cycle. And if the process of providing continuously secure software wasn\u2019t difficult enough, this certainly doesn\u2019t make it any easier.<\/p>\n Developers are expected to produce high quality code, continuously and at speed. After all, delays cost market share and allow rivals to take the lead. However, this can have a detrimental effect on the quality of code developed, with recent research suggesting most developers (85%) believe vulnerability remediation<\/a> harms their potential to produce features and products on time and on budget.<\/p>\n The poll also found that 70% of software and application developers<\/a> often feel pressure to release updates that could override security concerns \u2013 again potentially putting companies, and their customers at risk.<\/p>\n Veracode\u2019s research<\/a> into application development revealed a startling 63% of internally developed applications are non-compliant with OWASP Top 10 standards (the widely accepted standard for application security), when initially assessed for security.<\/p>\n And while these may seem like micro issues, when considered as part of the wider economic picture, there are serious fiscal consequences to overlooking security. Indeed, research<\/a> from Veracode and the Centre for Economics and Business Research (CEBR) revealed that cyberattacks cost UK companies \u00a334 billion a year in lost revenue and subsequent increased IT spending every year.<\/p>\n It is widely accepted from most DevOps teams that having the ability to detect and amend security issues at an early stage of the software development lifecycle (SDLC) would streamline the process. However, turning this sentiment into a tangible reality is a significant challenge for many organisations.<\/p>\n A recent report into the state of DevOps<\/a> found the best performing development teams spend half the time correcting security issues when they take security head on all the way through the SLDC. Indeed, it is when security is left to the final hurdle that long delays and wider issues typically emerge.<\/p>\nGreat expectations of speed<\/h2>\n
The economic cost of insecure DevOps<\/h2>\n
How security and DevOps can work together<\/h2>\n
The benefits of automation<\/h2>\n