You are here

You are here

World Quality Report: Shift your focus to QA for an app sec win

Brent Jenkins Evangelist, Micro Focus Fortify

The fight to educate developers is far from over, but the majority of application security specialists believe that their companies and developers now have the policy chops and awareness to secure their software. Unfortunately, most development teams' security tools and controls are failing to meet the need.

As developers look toward the coming year, the picture for secure development is one of continued—albeit, slow—progress. The slightest majority—51%—of respondents in the World Quality Report 2019-20 no longer have concerns that there is a "lack of secure data policy guidelines and awareness." Yet only 41% of application security specialists have the proper controls in place to produce software programs and systems that adequately protect data. (For the latest data on this trend, see the World Quality Report 2020-21, or read our WQR report highlights story).

There's a lot of talk about having security seamlessly integrated throughout the entire software development lifecycle. But just as with any issue in software, fixing issues earlier is faster and less costly, especially when you consider that these days the average cost per breach is $8.19 million for US organizations.

Until organizations treat security requirements, practices, issues, and remediation just like the rest of quality assurance testing—a requirement that must be met before shipping a product—security will always be behind the curve.

Quality-driven development pays off in more ways than one. Application security stands out as one key area in the 2019-20 World Quality Report. Here are three areas where developers and app sec specialists should focus.

1. Implement security checks earlier in the lifecycle

The cost of software vulnerabilities is far less if the issues are found during the software-design phase or during development. Vulnerabilities left until quality assurance testing or—in the worst case—found after deployment are very expensive.

Estimates of just how much companies can save have evolved over time. A 2006 presentation at the Black Hat Briefings estimated that $21,000 is saved for every vulnerability found and fixed during the design phase, $15,000 if found and fixed during implementation, and $12,000 if found and fixed during testing.

A 2016 study by IBM found that static analysis security testing (SAST) tools can return 2.5 times their cost by finding vulnerabilities earlier in the lifecycle.

Considering security early in development allows developers to start coding with security in mind and gives them the tools to perform their own static and open-source component scans before committing code. The key here is to make these tools fast, easy to use, and integrated into the tools developers already use.

Another tip is to provide developers with clear and easy-to-understand remediation guidance, which makes security adoption faster, with less friction from the dev teams.

2. Increase awareness of security's importance across disciplines

While the number of companies that are aware of security design issues has crossed a threshold—becoming a majority in the new report—awareness is always the No. 1 issue. Having organizational buy-in for security from the top down is essential to the success of a security program.

Application security experts understand that awareness is key. One out of five professionals—the largest segment—rated security requirement identification and evaluation as the top issue facing companies. Static and dynamic code scanning and secure code review were the second and third most important issues, with 16% and 13% shares, respectively.

A key way to tackle the awareness issue is to identify and appoint security champions throughout the organization. With specific training, these champions can be tasked with putting security first within their development or operations group, performing security assessments, and having clear goals and metrics to achieve.

Moreover, companies do not need to start from scratch. There are many proven guidelines available, such as the OWASP Software Assurance Maturity Model, that can give organizations clear guidance on how to start and build an effective security program—or how to fix an existing one.

3. Focus on software security vs. perimeter defense

Typically, an organization allocates a significant portion of its security budget to network or perimeter security—trying to catch the attack as early as possible rather than preventing it to begin with. Yet the US Department of Homeland Security (DHS) states that 90% of security incidents result from exploits against defects in software.

This suggests that application security really is the most important aspect of breach prevention.

History bears this out as well. The Equifax breach occurred because the company missed patching a known security flaw, a failure both in discovery and in operations. The Target breach happened because a third-party supplier failed to patch its systems.

While there are different levels of security in which an organization can invest—from data to application to endpoint to network to perimeter—identifying vulnerabilities and patching the issues is a fundamental measure that all companies should pursue.

Automating the discovery and remediation of vulnerabilities through tools and regular testing can turn tools that interrupt the developers' workflow into constant reminders and educational opportunities that reduce the number of flaws in the resulting software.

Invest in app sec wisely

While secure development, quality assurance, and testing have changed in many ways—especially in their efforts to keep up with the risks—many of the fundamentals hold true. Because these best practices hold true despite the changing threats, companies should invest in them regularly.

Keep learning

Read more articles about: SecurityApplication Security