Traditional AppSec Code Halts Kill DevOps Release Cycles
In recent years, the application security (AppSec) field has not advanced as rapidly as the software development discipline. While developers are under constant pressure to push code, legacy security tools inhibit their ability to do so. Developers face constant code halts for security testing, which wastes time and greatly diminishes productivity. Software defenses like static application security testing (SAST), dynamic application security testing (DAST), and web application firewalls (WAFs) also create inefficiencies by creating delays and requiring “training” periods for developers. Organizations need a new generation of AppSec that matches the efficiency and optimized processes of methods like Agile and DevOps.
Developers Are in High Demand
As the economy becomes increasingly digital, software developers are becoming more and more critical. In one recent study, organizational leaders said that access to developer talent is an even bigger factor in a company’s success than access to capital. In the same study, 96% of executives said they believe that increasing the productivity of developers is a medium or high priority.
However, in 2020 alone, it is estimated that 1 million computer programming-related jobs in the U.S. are expected to be unfilled. Many organizations are turning to nontraditional applicants and internal training to fill these gaps. While this data predates the COVID-19 pandemic, all indications are that this unprecedented disruption to the global economy will only accelerate the need for high-end developers.
AppSec Practices Have Been Slow to Evolve
If there is a slowdown in development, it’s often due to security issues. Legacy AppSec approaches often lag behind advances in software development. For example, new streamlined development approaches like Agile and DevOps result in vast increases in application deployment speed. A recent study reports that 27% of global developers now release new code each month or faster.
Yet, despite the evolution of AppSec tools and practices to date, the average number of security vulnerabilities per application has remained unchanged for years—with 26.7 serious problems on average in every release. With over 100 billion lines of new code being written each year, that’s a tremendous amount of vulnerable software.
Vulnerabilities mean developers must stop what they’re doing to investigate the issue. These delays leave development teams frustrated at a time when attacks on applications are heating up. Analysis of recent breach data finds that one-quarter of all breaches can be traced to the exploitation of web application vulnerabilities. While development teams are measured on speed and efficiency, workflows like security testing bring significant inefficiencies—17 hours per week for each developer. This is nearly half their workday!
Legacy Tools Hamper the Development Process
The reality is that development teams are simply too busy to perform AppSec activities. The development process is too fast, applications are too complex, and threat actors are much too sophisticated.
The demand to roll out releases faster is coming from the top of the organization. According to one study, 68% of organizations have a mandate from the CEO that nothing should be allowed to slow down the development process.
But despite these demands, legacy security tools simply don’t perform well in changing environments like the cloud, containers, or microservices. As time to market becomes increasingly crucial to organizations, these traditional tools create interruptions that can significantly slow the development process by forcing developers to interrupt coding to deal with alerts that aren’t valid, pursue vulnerabilities that are irrelevant, and halt development due to security scanning of code.
Following are some traditional AppSec approaches that are quite popular, but still not living up to expectations in the DevOps process:
DAST Creates Delays Later in SDLC When They Have Bigger Consequences
Dynamic application security testing (DAST), also known as black box testing, emulates the activities of a hacker, feeding malicious data to the software as it runs. It analyzes how the application responds to the simulated attack and looks for security gaps that could be exploited. DAST identifies problems that only appear when the application is running or when a known user logs in—and thus would be missed by SAST.
But DAST tools also create significant headaches for developers. DAST has no insight into the underlying causes of the vulnerabilities it uncovers. Therefore, teams must spend time hunting down the bugs, then correlate them with DAST reports. In addition, DAST regularly takes codebases offline for testing, but these delays are often more consequential at this later stage of the SDLC. Vulnerabilities discovered during this phase are costly and time-consuming to remediate and can potentially delay time to market significantly—at no fault to the development team.
SCA Tools Create Code Delays and Have Incomplete Results
Keeping track of open-source dependencies is a priority for the security team, and software composition analysis (SCA) tools examine software to determine the origins of all components and libraries within the software. They help organizations track the sources of an application’s codebase and locate new entrants in the Common Vulnerabilities and Exposures (CVE) database as they come up.
However, SCA tools can add further frustrations for the development team. These tools scan line by line, which means further delays while code sets are taken offline for SCA scanning. Making things worse, for all the code delays scanning causes, SCA tools do not provide complete information on vulnerabilities. They only examine lines of code against the CVE database, and they do not identify cases when dependencies are present but not used. This results in false positives and wasted developer time as they chase down more extraneous alerts instead of creating code.
WAFs Bring Limited Security and a Ton of False Positives and Negatives
When an application is released into production, the development team typically moves on to the next project. However, if a vulnerability is discovered and/or exploited after the software is in production, developers must drop what they’re doing to remediate the issue. And vulnerabilities discovered in production are more time-consuming to remediate than those identified during the design process. This means current projects can be severely delayed, often with an adverse effect on the bottom line.
The foundation of security for applications in production has long been the web application firewall (WAF). But like most SAST and DAST tools, WAFs are notorious for false positives as well as false negatives. False positives result when legitimate user requests are identified as an attack and blocked by the WAF. False negatives occur when real attacks are missed and therefore not blocked by the WAF.
Organizations Need a Next-generation AppSec Solution
Development teams are under constant pressure to meet business-mandated deadlines, and these time limitations are often critical to the success of the business. While SAST, DAST, SCA, and WAF tools each provide some security benefit, they mostly result in code halt delays for the development team.
In today’s rapidly evolving marketplace, delays in development cycles are unacceptable. Unfortunately, as applications become more complex and development processes more agile, old-school application security processes result in frustrating delays that have a direct impact on an organization’s bottom line. A more comprehensive, holistic, automated approach is needed.