It’s no secret that early application security testing is beneficial – but do you know just how advantageous it can be? And on the flip side, do you know the potential consequences of not doing testing early on? Let’s run through the top five benefits of early security testing along with the risks of late testing.
Benefit #1: Simpler and quicker fixes
One of the biggest challenges developers face is working with code created by someone else. If they are tasked with fixing or amending code that they didn’t write, they need to understand it first. Despite the fact that modern development teams follow agreed processes and coding standards to make it easier, it is still a difficult task.
This is why most developers are much happier creating new functionality or extending existing code than working on bug reports. When the issue is related to application security (including web security), things get even worse, as you need to understand not only someone else’s code but also the security defect – and that might require a lot of research.
Rapid feedback from security testing in the pipeline
Early security testing means that code is never accepted into the upstream repository unless it is safe. When developers are required to fix any security issues before they can complete their task, you can greatly reduce the number of security defects that are reported at later stages and assigned to someone else to fix.
To illustrate how this is done for a common DevSecOps environment, let’s say the developer creates a private branch in a code repository (e.g. in Git) and then runs a CI/CD job (e.g. in Jenkins) to build that private branch. If the code compiles correctly, the CI/CD job runs a series of QA tests that may include unit tests, functional tests, and integration tests. Security testing is either included in the QA suite or follows it and may include running a DAST, SAST, and/or IAST tool. If any of the security tools as configured deem the software to be insecure, the build fails, just as it would with major QA issues. To submit a build, the developer has to eliminate all identified issues and try again.
Streamlined issue resolution and management
In effect, early security testing makes it impossible for a developer to submit code and complete their assigned task unless an automated security testing tool decides that the application has no major security issues. This results not only in more secure software but also in far less time spent on investigating and managing security issues.
With rapid feedback, developers are usually fixing their own code that they know and remember, rarely having to spend extra time trying to understand security issues introduced by others. And because far fewer security issues make it past the build stage, fewer security tickets need to be created, investigated, and managed, easing the burden on project managers and security engineers.
Benefit #2: Developer accountability for security defects
Many developers are still unfamiliar with secure coding practices or don’t believe that security is something that needs to concern them. This leads to elementary security mistakes still making it into production code, such as accepting and directly using untrusted inputs (which means injection vulnerabilities). Without a security mindset, even detailed peer code reviews may not improve things, as the reviewer may pay equally little attention to potentially vulnerable constructs.
If you don’t have security-oriented code reviews and your CI/CD pipelines don’t include early security scanning, insecure code will go into the repository. Once you get to staging, your vulnerability scanner will discover the vulnerabilities and report them or even directly create new issues in your issue tracker, but these issues still need to be assigned. Especially in large teams, your managers have no way of knowing who introduced a specific vulnerability, so there’s a good chance that someone else will be fixing that developer’s bug. In effect, developers are not accountable for security defects they introduce, so they cannot learn how to fix and prevent them – in fact, they might never know about them!
Treating security issues like other build-failing bugs
In most cases, automated QA in the pipeline will prevent developers from submitting buggy code (or at least code that fails QA), but security issues used to be treated differently. If you now run security tests at the earliest possible stage and suitably configure your tools, you can also prevent developers from submitting code that contains vulnerabilities. As a result, developers need to own and address security defects in the same way as other bugs. If they submit insecure code, their builds will fail until the scanner says the application is secure.
Application security is no longer someone else’s problem
Early security testing helps to show developers that, far from being a chore, following secure development practices is in everyone’s best interest and saves everyone’s time in the long run. Fixing your own bugs and learning to avoid them means less time spent in the future on hunting down long-forgotten security issues. And as a bonus, when testing is done automatically and accurately, there is no friction between colleagues for pointing out each others’ mistakes.
In modern agile development workflows, application security needs to be an integral part of software quality, making it part of the developers’ responsibilities. Automating security testing in the build pipeline enforces accountability for security issues – whoever introduced a vulnerability needs to understand and eliminate it or the build will keep failing. In the long run, this makes security a routine part of development and helps to foster the mindset that security is everyone’s responsibility.
Benefit #3: Developer education on security best practices
In software engineering courses, universities often teach their students some very complex development skills, such as the ability to formally prove the correctness of their algorithms using invariants. All too often, though, the same courses include little to no basic training on secure coding practices. Fundamentals such as the importance of distrusting user input are at best mentioned in passing as something to keep in mind, if they are mentioned at all – no wonder that many developers simply do not know how to write secure code.
In a professional environment, if a security engineer tells a developer that their code is insecure, this may lead to some problems, especially if security is not an everyday topic in the company. An inexperienced developer may feel anxious about their skills and even their position. An experienced developer, on the other hand, may become defensive because they believe they have enough experience to know what they are doing. Both may end up with a negative attitude towards security or even the security professional who pointed out the defect.
Individual and automatic remediation guidance
Automated testing early in the development process eliminates potential conflicts between developers and security teams because the vulnerability is reported by a machine, not by a person. Also, if testing is done earlier, nobody but the developer knows what vulnerabilities are being reported and fixed, so the developer does not need to feel anxious about being judged.
At the same time, a good security tool will not only report a security issue but also provide information about the root cause of the defect along with guidance on how to fix it. The right tools will help the developer apply the correct long-term fix and learn how to avoid introducing similar issues in the first place.
Improving application security through hands-on experience
With early-stage automated security testing, vulnerability reports become a routine part of development work and are addressed like any other bug, putting developers at ease with security and helping them to write secure code. Learning from your own mistakes is always the most effective way to learn, so rapid feedback from an automated tool helps developers build and practice their secure coding skills in a comfortable and efficient environment.
The importance of improving through hands-on experience at your own pace cannot be overstated. For a start, it eliminates developer anxiety around addressing security issues – for example, a junior developer doesn’t need to worry about the safety of their position in the company if their security-related skills are not yet up to speed. With early security testing, nobody else needs to be involved since each developer learns to fix their own vulnerabilities and avoid similar issues in the future. As long as the tool is accurate and provides guidance and additional information, this will be far more effective than any theoretical secure coding training.
Benefit #4: Lower risk of delays and costly rework
Imagine your dev team is working on a business-critical new feature that customers are already waiting for. One of the developers working on that release commits code that contains a serious vulnerability, but the vulnerability is not picked up during code review, and you don’t have early-stage security testing in the SDLC. As with many organizations, you only perform security testing in the staging environment before major releases. For this scenario, this means the vulnerability is only discovered during pre-release testing – several weeks after it was introduced into the code.
To track down and eliminate the vulnerability at this late stage, you have to delay the release and send the code back to development along with a vulnerability report. The code has to go back to the developers, then through QA, then back into staging for security retesting. And if you then discover that the vulnerability has not been eliminated because the developer applied a partial workaround rather than a proper fix, it’s back to the drawing board once again. Your critical release is now seriously delayed, your development teams are working overtime, and your customers are extremely unhappy, potentially costing you business. And all because of an error that was not spotted early enough.
Catch early, fix early
With early security testing in the SDLC, the risk of such a scenario is far lower. Most vulnerabilities will be caught way before the first version of the application is ready for release. Some less critical vulnerabilities may also be found in staging due to the ability to test the entire application on a real web server, but these are unlikely to seriously affect release deadlines. You can even set up your early testing to pass if only low-risk vulnerabilities are discovered automatically.
More predictable releases without security roadblocks
Late-stage bug tickets and the delays they cause tend to accumulate quickly. By eliminating vulnerabilities as soon as they are introduced, you can save a lot of time and stress. Most importantly, though, you can make your entire workflow and release schedule more predictable by avoiding unexpected delays just before releases.
Making security an inherent part of the workflow rather than a last-minute roadblock helps you more accurately estimate how long each stage of development will take and, ultimately, when the final release will be ready. When security defects are identified and fixed routinely and not as an emergency exercise, your entire SDLC process runs more smoothly and with fewer nasty surprises.
Benefit #5: No more releases with known vulnerabilities
The scenario described above assumes that a critical security vulnerability is considered a reason to delay a major release. In reality, when forced to choose between security and release deadlines, many businesses knowingly release vulnerable software rather than risk delays. This is especially true for organizations that don’t use early security testing, where any late-stage fix is likely to be costly and time-consuming.
It goes without saying that publicly releasing software with a serious vulnerability may come with a very high price tag. Even assuming that a fix is coming in the near future, you are taking a chance that the vulnerability won’t be discovered and exploited by malicious hackers until then. In most cases, businesses will at least apply temporary protection using a web application firewall (WAF). However, even that is not always possible (like when the application is hosted by a third party) and, in any case, WAF rules are not bulletproof and may be bypassed by attackers.
Making security a part of software quality
Early security testing greatly reduces the risk that you will be forced to knowingly release a vulnerable application. While staging-level tests and additional manual penetration tests may expose certain vulnerabilities that were missed or not yet present during automated testing in the pipeline, the most serious and fundamental security defects tend to be introduced early on. When security is treated as an inherent part of software quality across the entire development process, potentially the most troublesome security issues should never even make it into staging.
Confidence instead of tradeoffs
Avoiding situations where business pressures force you to intentionally release vulnerable software has obvious security benefits but also brings many other advantages. The confidence that comes from knowing and communicating that security is a vital and non-negotiable aspect of software quality in your company helps your teams work more efficiently and with less stress. When your developers deal with application security issues routinely rather than only in emergencies, they can address them quickly and effectively without breaking step. External stakeholders are more confident in your development process and release deadlines. And depending on your industry, demonstrating that you are routinely scanning for security issues and you never knowingly release vulnerable software may actually be a compliance requirement.
Early-stage application security testing with Invicti DAST
Invicti products are designed to integrate into the modern web SDLC and provide dynamic application security testing at multiple stages of the process, including in development. To learn more about using DAST in your SDLC, see our white paper Security at the Speed of Software: DAST in the SDLC.