You are here

You are here

World Quality Report: 3 ways to build more resilient code

Brent Jenkins Evangelist, Micro Focus Fortify

As they move into DevOps, teams often get advice on how to integrate security and quality-assurance (QA) testing into the development process. The advice is sound; surveys have measured which development processes and security habits are shared by elite, mature DevOps teams.

However, what is often missed in application security is how companies can push their programs after the initial forays into more mature territory to build a resilient software and development pipeline.

Successfully growing security and QA programs continues to be difficult. While a well-executed DevOps program can reduce the complexity of software-security and QA processes, orchestrating agile approaches has grown more complex overall. That's one of the top-level takeaways from the World Quality Report 2020-21.

Here are recommendations for transitioning from the simple security and QA tests produced by siloed experts to a more resilient integrated approach that will give your development teams a smoother path to maturity.

1. Share security responsibility

Companies should focus on people first, and then process and tools. Getting developers and security teams on board with integrating testing into the development and deployment pipeline is critical.

A significant factor in growing security maturity in any software development environment is sharing responsibility between the developers and the security team. Moving more security and quality tests into the development process—that is, "shifting left"—and automating those tests are the two most significant ways that companies are speeding up their agile software pipelines, with 52% and 51% of companies almost always taking these approaches respectively, according to the 2020-21 World Quality Report.

Working together is important, because most organizations tend to have only one or two application security professionals—workers who often have other responsibilities. Yet two-thirds of respondents focused on the technology stack as essential or very important—the top aspect, according to the World Quality Report—while culture and talent were the least important factors.

A security champion program can help these companies focus on the people and build bridges between security and development. When the people work together and are knowledgeable, other considerations such as the technology stack and executive support will often take care of themselves.

2. Go beyond simple tests

Organizations that are starting out often just have simple test suites—read linters—that conduct static checks during development or at code check-in. With most mature application security programs, the teams work with developers to push more testing into the process, yet with the realization that too much testing can slow down development.

The more complex tools used by mature organizations, however, can overwhelm less mature developers and security teams. Rather than lure developers to code more securely, more complex tools often deter security.

For that reason, once a company has integrated simple quality and security tests, the development teams should try to tackle specific classes of vulnerabilities, such as SQL injection and cross-site scripting. The most common vulnerability classes, such as the OWASP Top 10, can be detected by many tools out there, many of which are open source.

In the end, the way to move forward is to not bite off more than you can chew. Your team should not try to solve every vulnerability, but pick one or two classes and start there.

3. Push automation everywhere

Companies believe that they have enough automation, with about two-thirds of respondents to the World Quality Report answering that they had the required automation tools and enough time to build automation tests. However, an average of only 15% of tests were automated, and only 3% of companies automated more than 20% of tests, according to respondents.

Well-implemented automation leads to more secure and resilient code, since testing takes less time, can cover more software, and can lead to better detection of defects. Despite recognizing this, companies continue to underfund testing, according to the survey.

Given the importance in automated testing to prevent avoidable defects from creeping into code, automation—more than any other factor—will help your development and security teams become more mature and produce more resilient code.

Resilient code takes a village

Just like your first car should not be a Lamborghini, trying to move too quickly to high-performance and complex testing environments will result in problems. With these best practices you can scale up your development with a more resilient, longer-term approach.

Read more articles about: SecurityApplication Security