Security Integration for Efficient Development
For most developers, security is outside of their core skill set. The majority of developers have not received the security training that would enable them to identify exploitable vulnerabilities in their code. As a result, security testing is often the responsibility of another team, such as the quality assurance or security team, and is subsequently delayed until late in the software development lifecycle (SDLC), if it is performed at all.
This decision to not prioritize security as part of DevOps practices may have short-term benefits to release timelines, but it also carries a heavy, long term cost to the organization. Unpatched vulnerabilities in application code contribute to the workload of security analysts responsible for protecting the organization against cyber threats. Exploitation of these vulnerabilities could result in a security incident that carries heavy remediation costs, reputational impacts, and regulatory impacts. The time and cost associated with discovering a vulnerability in production (through vulnerability scanning, bug bounty programs, or reverse engineering a successful attack) and creating and deploying a patch are significantly higher than if the same bug was identified and fixed during development.
Shifting Security Left in DevOps
Many organizations have acknowledged that a transition from DevOps to DevSecOps is necessary and cost effective. By “shifting security left” in the SDLC, the company can minimize the costs associated with identifying and remediating vulnerabilities within their applications.
Making the switch to DevSecOps requires integrating security into every stage of the development process:
- While creating use cases for a potential product, security use cases should be considered alongside features.
- During development and testing, security tests should be created and run continuously alongside functionality ones.
- In the testing stage of the SDLC, an application should undergo a penetration test to identify any overlooked issues.
- Before release approval is granted, a software “bill of materials” should be generated outlining all of the application’s dependencies and demonstrating that none of them contain known vulnerabilities.
By making security a core part of the development process, an organization can dramatically decrease the cost of software vulnerabilities. The average cost of correcting a vulnerability in development is $80, compared to $7,600 in production.