The rapid growth of the app economy has challenged the traditional Software Development Life Cycle (SDLC), pushing for more agile processes, more automation, and greater collaboration across development, QA and security operations. In Frost & Sullivan surveys, agility tops business leaders’ list of priorities, as they prepare for the fast-paced, hypercompetitive future. IT departments, in particular, find that in order to support escalating business technology needs, they must streamline processes, minimize resource consumption, and reduce time-to-market.
The traditional Software Security Assurance (SSA) approach is to deploy static and dynamic testing technologies during the build and QA process. While security testing is still a critical part of a successful SSA program, it is no longer enough. Two new trends emerge in the new SDLC: shifting left onto the desktop of the developer and bringing software security into operations.
DevOps causes organizations to ‘shift left’ – to prevent potential bottlenecks before they occur. To do this in software development, developers need to be better equipped to identify and prevent security vulnerabilities immediately – as they are writing the code. Not only can spell-check-like functionality help developers avoid writing new vulnerabilities, it can be a great feedback tool to help them learn more secure coding practices. These tools must be baked into their native IDE – they cannot be a bolt-on tool that disrupts the developer’s work flow.
Security cannot be considered only after the code is written. Requirements of the new SDLC on software security for the developer:
- Immediately find and fix as the developer codes
- Remediation guidance in the native development environment
- Continuous feedback at DevOps speed.
Scanning tools need to accommodate a variety of work flows using enterprise-scale management and automation for consistent results. Analytics and intelligence can improve the accuracy of the scans as well. Why not use tools that learn from cumulative scanning experiences to improve the outcomes and reduce false positives?
Security scans must be an integral part of the deployment effort and they must be more frequent. Requirements of the new SDLC on security testing includes:
- Static and Dynamic technologies tightly integrated into existing tool sets
- Hybrid security testing delivery to quickly scale in accordance to business needs
- Distribute application security testing across thousands of applications.
Continuous Monitoring and Protection
In production, applications must be continuously monitored and protected. This compensating control can help you manage risk brought about from more rapid deployments. And the instrumentation of these controls should be built in from the very beginning, back in development, again not bolted on as an afterthought. Why not provision the instrumentation automatically as part of every provisioning effort? Then the instrumentation itself presents no additional risk as it is inherent from the beginning and integrated into all stages of application testing. When you get to production, you can confidently – and immediately – monitor and protect your applications.
The new SDLC requires bringing software security into operations.
- Find exploitable vulnerabilities in running applications
- Expand testing to web, mobile and cloud applications in production
- Continuously scan for vulnerabilities in live systems.
Can your security partner meet the needs of the new SDLC?
You buy a product from Amazon based upon the best reviews, so why would you consider doing anything less for your security technology? Proven technologies, used for static and dynamic testing, as well as runtime monitoring and protection, recognized by industry analysts, can ensure optimal results. Generally, people don’t fired for buying products that lead in the Gartner Magic Quadrant, especially one that has produced these results every year since the MQ was created. This leadership is accomplished through innovation.
How Micro Focus Fortify can help you
You need a partner you can rely on that innovates their products but also which has depth of security research to back the tools with the security intelligence needed to stay ahead of the bad guys. Fortify can help you across your end-to-end application security needs. Why cobble together a web of unintegrated tools and gamble on point solutions that sound great but may be gone tomorrow? Stick with a proven leader in app sec that can help you reach your DevOps goals.
Interested in learning more? Check out this AppSec infographic, which illustrates 3 key principles will help you embed security into your SDLC.