Security needs to be adopted at every stage of the SDLC
Speed to market has been everything in the software development world. But, over time, we’ve discovered that speed alone cannot be the end all be all. The majority of data breaches have to do with web application security vulnerabilities; and therefore, security must become part of the software development equation.
The problem is that most organizations approach security at the end of the software development lifecycle, when it’s often too late or too complicated to fix vulnerabilities. To be effective, security must be integrated throughout each stage of the entire software development lifecycle.
DevSecOps – application security built into DevOps – is popular in theory, but, to date, it has been poorly adopted. This poor adoption of DevSecOps often stems from the fact that software testing technologies are not customized for each of the different software development and operations roles.
You may also like: Where Can We Actually Use DevSecOps?
Steps to Producing Secure Applications
It’s important to understand that the software development lifecycle includes three main phases, including 1) programming, building/testing, and operations. Within each of the three stages, there are different skillsets and personas. Because of that, application security cannot be a one-size-fits-all approach.
To ensure comprehensive testing, three types of testing technologies must be carried out through each of the programming, building/testing, and operations phases:
- Static application security testing (SAST), which analyzes application code and detects vulnerabilities.
- Dynamic application security testing (DAST), which analyzes applications in run time. It launches simulated attacks and analyzes the reaction to determine if there is a vulnerability.
- Software composition analysis (SCA), which analyzes applications for third parties and open source software. It detects illegal, dangerous, or outdated code.
Security Flavors to Fit SLC Personas
To gain better security traction and results, testing technologies should be offered in flavors that are tailored for each specific developer and operations personas at different parts of the SLC. That way, they’ll be easily adopted and integrated frequently into various parts of the environment.
These flavors and variations of the SAST, DAST, and SCA technologies should each be customized specifically to the abilities of each of the personas that include programmers, build engineers, and pre-and post-deployment specialists.
The chart below shows how nine application security testing products from WhiteHat Security completely cover each phase and role within the software development lifecycle.
By offering more options and catering security technologies to the many needs and stages of the software development lifecycle, and the individual roles involved, we can make it much easier to increase adoption and secure software. With this approach, Security technologies are at DevOps professionals’ hands – simply because each DevOps persona has his/her own flavor of Sec technologies, customized to the persona’s needs.
Those Sec technologies can be run as often as it is necessary because they are invoked from IDEs and build servers with no assistance from a middle-man. They send results back to those who invoked them. The Sec technologies also run along the entire software lifecycle because each DevOps phase has its own dedicated flavor of Sec technology. Finally, Sec technologies on the left get balanced on the right with the breadth of security coverage as security technologies test more complete applications.
The good news is that the future for application security looks promising. New research from Global Market Insights reveals the application security market will witness rapid growth in the coming years. We believe that by 2020, more than two-thirds of enterprises will adopt software composition analysis (SCA); that the use of static application security testing (SAST) will match the use of dynamic application security testing (DAST); and that DAST will offer convergence with IAST or SAST.
As adoption of application security technology gains more traction among enterprises, we can confidently decrease the number of software vulnerabilities, and reduce the number of data breaches we see in the world today.