In the race to push out new apps, developers are responsible for prioritizing security without sacrificing speed.
Throughout 2017, we’ve seen a tidal wave of high-profile hacks, leaks and data breaches that has been nothing short of jaw-dropping. In September, Equifax reported that a security breach exposed the personal data of as many as 145.5 million Americans. Even more shockingly, Yahoo! has revealed that its August 2013 cyberattack may have affected all three billion of its user accounts.
You would think that these and other stunning cybersecurity disasters of 2017 would serve as wake-up calls for businesses everywhere—but will they?
“Unfortunately, they probably won’t change anything,” says Peter Chestna, Director of Developer Engagement at security firm Veracode. “At least not until there is a corporate-wide shift in accountability to make the developers take responsibility for the security of their applications.”
Inherent Risks in the Pursuit of Speedy Delivery
The rule of thumb for DevOps-driven companies is that new applications must be developed, released and updated as quickly as possible. That breakneck pace has only exacerbated a dangerous misconception—namely, that security is not the responsibility of the developer writing the code.
“Speed is the current measurement [of success] in most organizations,” Chestna says. “Today’s goal isn’t making sure that application software is secure when it’s released. Instead, most companies push the software out as fast as they can. That’s the way today’s developers are currently paid and trained to work.”
Even worse, because many developers use open-source software to speed up the coding process, security vulnerabilities are often baked into applications, flaws that are unknown to the CISOs and security teams charged with keeping hackers out.
Wanted: A Culture That Emphasizes Fast—and Secure—Development
For security to become a key business priority before a serious breach happens, a fundamental culture shift must occur, Chestna explains.
In recent years, application development has rapidly evolved from a waterfall system (where major releases occur one to four times per year), to agile (where software goes public one to four times per month), to a DevOps model (where software is released as often as four times per day). Even though the development process now moves in daily cycles, most of today’s security coding and QA has not aligned with the DevOps framework.
“This is not just about tools and resources,” says Chestna. “It’s about understanding that nothing will change until development leadership takes responsibility—until they make releasing secure software part of their goals. This shift in accountability must start at the top.”
Transforming corporate culture at the highest levels can be exceptionally difficult, especially when it appears that nothing is broken (that is, until a major data hack occurs). That’s why weaving security into a business’s DNA is so often a severe uphill battle.
DevSecOps: Integrating Security and DevOps
So how do you change leadership’s attitudes and make security a top priority? For starters, companies need to adopt new tools to make security an integral part of the DevOps process.
“The key is to make security checks invisible,” Chestna says, adding that Veracode’s security software “works inside the tools that developers are already using today. We are similar to spell check; it’s a security check that shows up as you’re writing code. This provides a feedback loop running at the speed of DevOps.”
And this is one way to begin a culture shift. By bringing awareness of security vulnerabilities to developers while they are writing code, companies can empower developers to assume responsibility for secure software—and allow real, sustainable change to occur.