Does application development boom mean security debt bust?

LEARN MORE

Richard Dickinson, Sales Director, EMEA, Bright Security

Application development continues to increase in support of digital transformation programmes, with the majority of organisations now releasing 100 times the amount of code they did 10 years ago.

In many of these enterprises, software developers now outnumber cyber security professionals by as much as 100:1. Historically SAST enables developers to test code for accuracy during the build cycle to enhance their performance. This means they’re more easily able to keep pace with their growing workload. organisations create their own competitive edge using innovative software.

For business agility and the drive to shift left, this is obviously good news as organisations create their own competitive edge using innovative software.

Building a Perfect Storm

The flip side to this, however, is that during the development process no allowance has been made for testing for security vulnerabilities throughout the SDLC. This tends to take place at the eleventh hour by security teams following what can be months of work by development teams.

Going back to the 100:1 ratio, lack of resources in security teams causes bottlenecks in this part of the process, with cyber teams buckling under the strain.

Not only that, if vulnerabilities are detected at this late stage, apps have to be returned to development to unpick code further slowing down release cycles.

This drives up costs and creates notional ping-pong between two key organisations in the application delivery process.

Security Debt Russian Roulette

The alternative to this is a worrying trend towards the acceptance of Security Debt as a quid-pro-quo. For the uninitiated, security debt is a variant of technical debt that occurs when organisations don’t invest enough money or resources into security efforts upfront.

The term compares the pressures of monetary debt with the long-term burden developers and IT teams face when security shortcuts are taken.

Worryingly, current statistics estimate 86% of organisations knowingly deploy vulnerable applications into production.

They don’t do this because it's an ideal scenario, they do it because their current resources, processes and solutions do not give them an AppSec option that can be deployed during the SDLC which would better equip them to meet deployment deadlines.

This needs to change if organisations want to maintain brand integrity, mitigate reputational damage and failed compliance due to application security failures.

Make my Day – Pull the Trigger!

Security professionals are specialists and are always going to be responsible for all aspects of cyber security within their organisations. But with a modern take on DAST, it’s possible to give development teams the tools to test for security vulnerabilities by testing during the SDLC.

By testing running apps and business logic on every commit, it allows developers to validate vulnerabilities and fix them to improve code quality during the SDLC. With results returned immediately with no false positives, it means they hand over apps fit for release.

No more bottlenecks. No more 11th-hour testing. No more security debt relating to application security.