Every software development project is a delicate balancing act. To deliver the full project scope on schedule and within budget is challenging enough – but when you also have to make your application secure, you are now juggling four plates. Let’s see how a modern DAST solution can help you build a secure SDLC to make this possible.
Invicti’s Suha Akyuz on Enterprise Security Weekly
Suha Akyuz, Application Security Manager at Invicti, talked to Paul Asadoorian and guests on episode #233 of the Enterprise Security Weekly cybersecurity podcast, taking a project management view of the challenges of bringing security into modern agile development. Watch the full discussion below and read on for a summary of the main points.
Your SDLC is a project – and it’s likely to fail
Whatever development methodologies you use, your entire software development lifecycle (SDLC) is one big project. Like any other project, it is constrained by its defined scope, budget, and time. Changing one of these constraints without adjusting the others will always have negative consequences for overall project quality and success. As all IT professionals can attest, scope creep results in longer development times and higher costs, while cost-cutting can drastically affect quality – and this includes security. It’s a tough balancing act and as many as 67% of projects fail to fully deliver on their initial promises according to PMI.
The bottleneck of waterfall security
The traditional SDLC model was waterfall development with monolithic releases that went through subsequent stages with rigid handoffs. A release could take months or years to go from requirements to deployment and security testing was only performed during the testing phase (or in some cases even as late as the production phase) by a dedicated security team. With the advent of modern development technologies and frameworks, development and testing became ever more efficient and automated, making the dedicated security testing phase a serious bottleneck.
As a consequence, security now often takes a back seat to release schedules. A recent report has revealed that only a fraction of organizations never release applications with known vulnerabilities. Clearly, software project managers across the board are struggling to reconcile security with all the other requirements that they have to balance. So what about agile development? Would this more flexible approach combine better with security testing?
Agile development can’t wait for security
To speed up development and shorten release schedules, agile methodologies are now the norm in application development. The idea behind agile development is to replace monolithic releases with mini-releases that are implemented during 2–3 week sprints. This allows teams to design, build, and test features and fixes incrementally instead of dumping them all into one big release.
In the agile world, isolated security testing is no longer a mere bottleneck – it is simply unusable. The whole idea behind agile development is that each sprint is self-contained and when it’s done, it’s done. When you have 2 weeks to complete a sprint, there is no time to wait for security test results and then fix vulnerabilities. The only realistic way to incorporate security into an agile SDLC is to embed it into every step of the process.
From SDLC to SSDLC
Secure SDLC (SSDLC) can be considered the security layer of the SDLC pipeline. Each stage of the SDLC has corresponding security considerations that need to be built directly into the tools and workflows used in that phase. Modern agile DevOps relies on automating everything you possibly can, from coding through testing to deployment. By infusing security into each stage, you build DevSecOps – but for that, security testing also needs to be automated.
To prevent application vulnerabilities, you would start by adding static security analysis to other static testing executed during development. While challenging to set up efficiently, this can help with static vulnerabilities – but you still need dynamic testing, traditionally done by the security team in the testing phase. In an agile SDLC, stopping the pipeline to run external tests is not an option, so now you need automated dynamic testing that can keep up with development without flooding the pipeline with inaccurate results.
Integrating DAST to build DevSecOps
A modern dynamic application security testing (DAST) tool can be integrated into the SDLC to detect vulnerabilities as early as possible when they are easier and cheaper to fix. As an enterprise-grade application security solution, Invicti integrates with leading issue trackers and CI/CD platforms to deliver accurate results into the tools that developers already use. With Proof-Based Scanning technology, the majority of direct-impact vulnerabilities are confirmed automatically by the scanner with no risk of false positives, so developers can immediately start fixing the issues without waiting for verification by the security team.
Just as the move to agile DevOps is a practical necessity to keep the development pipeline moving in step with business requirements, so the move to DevSecOps is the only realistic way to combine a high level of security with modern development and project management approaches. There are many ways to get there, but all of them need at least a high-quality DAST solution to act as the automated agile equivalent of a security testing team.
Scalable and accurate DAST is a must-have in any DevSecOps toolbox – and Invicti leads the industry.