Getting an application security testing tool and getting actual security improvements are two entirely different things. For its recent report Automated Application Security Testing for Faster Development, the Enterprise Strategy Group (ESG) interviewed Invicti customers to find out how application security (AppSec) automation affects development efficiency. One of the main findings was that workflow integration is critical to bridging the gap between test results and security fixes. Far from being a nice-to-have, integration can make the difference between having an efficient application security process and one that doesn’t work at all.
Catching the DevOps train with security testing
For years, enterprise organizations have struggled to balance security requirements with the practicalities of testing and remediation. The pragmatic compromise used to be to focus on securing business-critical websites and applications and hope for the best with all the others. In today’s cloud-first world, organizations are coming to realize the importance of testing every single web asset – except now they need to do this without compromising the speed of development and innovation.
Software is increasingly being developed using agile methodologies with frequent deployments, where relatively small teams rely on extensive automation to build and deploy new functionality in a matter of weeks. When moving from business requirement to production feature at that kind of speed, development teams don’t have time to step outside their well-oiled workflows – and definitely don’t have time to stop and wait for security testing. As one Invicti customer interviewed by ESG put it: “We don’t want to have to run scans at the end of a project and find the problems and have to rebuild everything; it’s not efficient.”
Application security without integration simply doesn’t work
Apart from the extra time, wasted effort, and the risk of delaying software releases, using non-integrated application security testing comes with a massive caveat: if security proves too much of a hassle, it will simply get bypassed. The current report corroborates previous Invicti research to indicate that the majority of development organizations are ready and willing to release software with known security vulnerabilities when deadlines loom, with 79% of respondents confirming that they’ve knowingly released vulnerable code on more than one occasion – and nearly half releasing vulnerable software regularly.
To be effective, your application security workflow needs to be transparent to developers and integrate tightly with their existing tools while still providing them with the information they need to fix issues. Having the security team send periodic vulnerability reports to developers no longer works. One of ESG’s interviewees put it bluntly: “If we throw a PDF at them that says, ‘Here’s all the stuff that’s wrong; go fix it,’ we’re not successful.” Development work is organized using tickets in issue trackers, so security tools must feed directly into these workflows or risk being ignored. No ticket, no fix – it’s as simple as that.
When reported in the right way and with the right tools, however, security defects can stop being one-off time sucks and start getting resolved as a matter of course. As one Invicti customer said: “Security issues show up in their Jira queue, their Azure DevOps tickets, whatever they use, so they don’t even care if it came from the security team. It’s just another bug to fix.” And because fixing bugs is what developers do every day and what they are good at, integrated security can become a permanent part of software quality.
Integrated AppSec saves time and money
Having an application security process that actually works and delivers tangible security improvements is already a major achievement, but integrating effective AppSec tools into your development pipeline also unlocks efficiencies and savings downstream. Especially for organizations that used to rely on external penetration testing, having an efficient vulnerability scanning solution plugged directly into their internal workflows can yield big savings on testing and issue resolution. Instead of commissioning a new (and costly) pentest every time, they can find and resolve many issues in-house already during the development process, which is faster and far cheaper than going back to a finished project for late-stage fixes.
While less immediately obvious, improved internal communications and reduced inefficiencies can also also be a major source of savings. Invicti customers interviewed by ESG reported that integrating application security testing allows security teams to work far more efficiently, with better developer communication, fewer tools overall, and less need for external consultants and services. To quote an Invicti customer, “Our teams are skilled in security but not in secure code development skills or development, so we look for the right tools to fill in the gap.” Having these tools in place means less back-and-forth and more time to focus on work that brings value.
Do or do not – there is no try
Every large organization now develops at least some of its web applications in-house and wants them to be secure. The report reveals that building application security testing directly into development workflows is the only practical way to keep up both with security requirements and the pace of development. But more than that, feedback received from industry practitioners suggests that either you have integrated application security or you have no application security at all. Inefficient processes and inconvenient tools will end up getting bypassed, with security pushed into the back seat when timely software delivery is at stake.
Embedding application security testing right into development is no longer a luxury – it is a prerequisite for building secure software. Read the full report to learn more: Automated Application Security Testing for Faster Development