AppSec Bites: A Podcast on Balancing Speed and Thorough AppSec Coverage (Part 1)

A joint blog post from ThreadFix and Veracode.

In the world today we have all become so accustomed to high-speed delivery and the instant gratification it instills (any large 2-day shipping retail monsters come to mind?). It’s only natural that the demand for speed and efficiency we are experiencing in our daily lives has expanded to the technology space. This relentless push for innovation is forcing companies to reevaluate how they develop software and look for new ways to shorten the development cycle. The race to release software is heavy on the minds of tech companies everywhere.  

With this race to the finish line mentality, there comes with it increased risk to security. If your software isn’t safe to use, then it does you no good how fast you got it to market. Companies then face the dilemma…how can you release software as quickly as possible while still implementing a comprehensive application vulnerability management program?

The solution for many organizations is to move their security practices left. This means implementing application vulnerability testing tools during the development phase rather than right before production, which can slow down development on the front end but, in the end, saves time overall and helps make processes more efficient.

The reality of this system, however, is that not every scan type can be performed early on in the software development lifecycle. Scans like penetration tests and dynamic analysis perform better in runtime scenarios. That begs the question, should these be neglected? In part 1 of our AppSec Bites series with Veracode, Tim Jarrett, Director of Product Management at Veracode, argues, ‘no,’ and discusses why it’s worth taking the time to run those scans.

How can you save time when including application vulnerability management in your development cycle? If your scans can be implemented early and effectively, go ahead and implement them. If you’re not already automating your AppSec scans, automate them. You could also consider leveraging Veracode’s sandbox capabilities. Kyle Pippin, Our Director of Product Management for ThreadFix says, “The sandbox allows developer teams to get in on the ground floor with risk assessment before problems make it to the security team. It enables the development to catch the low-hanging fruit right off the bat.”

Overall, speed and security go hand in hand. You have to take the time to understand the risks, set realistic expectations with your developers on how to prioritize vulnerabilities, and then decide what tradeoffs make most sense for your organization.

To learn more about the balance between speed and AppSec coverage, listen to part 1 of our podcast series with Veracode.

 

About ThreadFix Team