Feb 12, 2018
A 2016 study by the Ponemon Institute revealed that 58% of respondents believed their organisations are under pressure to release new apps quickly, and 35% of organisations don’t perform any major application security testing prior to deployment. Today, I'm looking at how your organisation can meet release pressures without compromising your security.
The Rush to Release Risks
When speed is the main driver of your development process, it’s inevitable that corners will be cut. There are three main risks when you rush the development process:
- You compromise on functionality, and deliver an application that does less than your competitors’
- You compromise on quality, and deliver a buggy application that doesn’t work as well as your competitors’
- You compromise on security, and hope that any vulnerabilities in your application won’t be exploited.
If a company’s development team is measured on the functionality and efficacy of their code (and they probably are), it’s unlikely that you will compromise on functionality or quality. This means that when deadlines are tight, security can be the first thing to slip - putting your data, and your users’ data, at risk. But 82% of application users would change providers if they knew an alternative option was more secure. So can your organisation really afford to compromise on application security?
4 Steps to Prioritise Application Security
1) Make security a company-wide priority
With increasing pressure for your company to release new apps or updates sooner, you’ve got to find a balance between development speed and quality. Traditionally, development teams are measured by their efficiency and the functionality of their code, with security being low priority. Instead, you need to raise the profile of security in your organisation.Research shows that 91% of successful data breaches rely on the manipulation of an organisation's employees and customers, using spear phishing and social engineering attacks. From executive to junior levels, data breaches can be triggered by anyone within your company.To combat this, your organisation needs to roll-out a mandated security awareness training program across the entire organisation.
2) Integrate security into the whole SDLC
The best way to ensure rush to release doesn’t compromise the security of your applications is to integrate security best practices into every stage of the software development lifecycle (SDLC), so that it becomes an established part of your existing process, rather than an additional afterthought. By ensuring that you adopt secure coding standards, and security best practices such as pair programming and regular code reviews, you can defend against common application vulnerabilities and raise the security standard of your applications. Most of the vulnerabilities that make it into finished applications can be detected and remediated early-on in the software development lifecycle. As well as it being easier to fix vulnerabilities if they’re found early, it is also 30x more expensive to fix a vulnerability during post-production than during the design stages of the SDLC!
3) Align devs and security
In many organisations there’s a serious disconnect between your security and development teams. Few developers have an up-to-date understanding of security risks, and security teams rarely understand the time- and results-driven pressures that your dev team faces. By providing company-wide security awareness training, and improving communication and understanding between your security and dev teams, you encourage a cultural shift in your organisation that will have a direct impact on the security of the applications you develop.
4) Use tools to get a handle on vulnerabilities
While security testing can be a very time-consuming process, there are lots of tools that can automate parts of your testing process. It is vital that your security team are properly trained to use these tools, so they are able to identify false positives and focus on the real threats that pose a risk to your organisation. By automating as much of your security testing process as you can, you will make security an integral part of your development process, without taking up too much time and delaying the release of your application.