Redefining the role of security in software development
Software is becoming increasingly important for market success, driving an ever greater need for speed in the development process. The rapid adoption of DevOps is testimony to this shift, with agile development no longer making the grade for many companies.
Accelerating time-to-market is of increasing importance for developers, with over a quarter of British and German development operations managers stating that meeting budget and delivery schedules is their top concern in a recent survey conducted by Veracode.
Leveraging open source components has therefore become common practice. But while deploying these third party elements helps developers meet deadlines, they are also unwittingly exposing their organisations and/or products to security flaws.
This persistent use of software components in development is creating a systemic risk in most businesses’ digital infrastructure, with recent code-level analysis of billions of lines of code showing that up to 97 per cent of Java applications have a known vulnerability in at least one component.
While introducing security risk, open source components should certainly not be spurned by organisations’ development teams due to the essential role leveraging existing code plays in enabling developers to meet their deadlines. However, adapting and evolving the development process to support more secure software production is crucial – and DevOps is helping many organisations do just that.
Speed is everything
The traditional role that security has played in the development cycle has frequently been a hindrance to rapid software development. With security considerations only being taken late in the software development cycle, long lists of flaws were often presented to developers at the end of a process. This approach often led to delays in delivery, with 85 per cent of developers recently surveyed stating that time spent remediating vulnerabilities impairs their ability to deliver products and features on schedule and within budget.
In our software driven world, delivery delays can now cost a company market share. As a result, pressure is mounting on developers to not only produce high quality code, but to do so continuously and fast! This has a knock-on effect on security, with 70 per cent of developers admitting that they feel pressure to release updates that supersede security concerns – ultimately putting at risk both the organisation and its customers’ data.
And with Veracode’s analysis of internally developed applications revealing that, when first assessed, nearly two thirds (63 per cent) aren’t compliant with the OWASP Top 10 (the widely accepted standard for application security), the risk is undeniable.
But by bringing development, security and operations teams together, organisations have the opportunity to create a culture of secure software development. This shift to DevOps helps make security everyone’s responsibility, enabling it to be embedded through the software development life cycle (SDLC) to avoid last minute rushes to remediate long lists of vulnerabilities.
Education, education, education
While DevOps certainly has the potential to reduce security risk without slowing down the SDLC, organisations can’t expect an immediate and reflexive mind-set shift from development teams whereby everyone will become accountable for security.
Developers, for whom speed and functionality has always been priority, must extend their skillset to include understanding both what different types of vulnerabilities are and how to remediate them. And it is down to organisations to provide them with the opportunities to learn and the tools to achieve this.
Sandboxing tools are just one solution growing in popularity with the rise of secure DevOps. Enabling the development team to assess new code against the company’s security policy, this technique is driving greater consciousness and accountability for security in the coding stage.
However, tools can only do so much and security will only become ingrained in the development process when developers understand vulnerabilities and the risk they pose. For instance, a developer will be more incentivised to remediate a cross-site scripting (XSS) flaw when he understands the risk that it poses to the organisation, product, and/or its user – especially if it could impact the delivery schedule.
The impact of education on flaw density reduction is undeniable. For example, those organisations that offered remediation coaching and eLearning to their developers saw a significant reduction (1.45x and 6x respectively).
Stemming the systemic risk
The massive shift towards digital transformation in all industries means that our lives will be increasingly powered by software – and speed will be everything for those businesses who want to keep the edge on their competition. But with the concurrent rise in cybercrime, it is important that this isn’t achieved at the expense of producing secure software.
Organisations must look to DevOps to redefine the role of security in the SDLC if they are to reduce the risk that vulnerable software components pose to their organisation, products and customers.