Software is increasingly becoming key to every enterprise’s innovation, competitive advantage, and bottom line. At the same time, it’s also increasingly becoming cyberattackers’ favorite target. Consequently, in the world of software security testing, slow and late are out. “The earlier the better” doesn’t apply in all circumstances, but it is certainly the case when it comes to security testing code. The earlier in the development process you identify security-related defects, the easier, faster, and cheaper they are to fix. According to NIST, fixing vulnerabilities at the coding stage provides a 10x cost savings versus fixing vulnerabilities in the testing stage.
And a couple factors are combining to make this “find and fix early” focus even more critical:
- Enterprises’ increased focus on development speed: Getting apps in production fast has become a competitive advantage, and has led to the shift toward rapid development methodologies like CI/CD. In this environment, security solutions that slow things down by tacking testing onto the end of the development process are no longer feasible.
- Cyberattackers’ increased focus on the app layer: Ineffective application security isn’t an option anymore. Verizon recently studied 2,260 confirmed data breaches across 82 countries and found that 40 percent resulted directly from web app attacks, by far the largest category. In addition, according to Akamai’s Q3 2015 State of the Internet Security Report, attacks at the application layer are growing by more than 25 percent annually.
In the end, we need to secure apps, and we need AppSec solutions that work the way developers need to work today.
Enter Veracode Accelerated Results
As part of our continuing efforts to help developers secure their code at DevOps speed, our Static Analysis product now includes a feature called Accelerated Results. This feature gives developers security findings from static analysis earlier in the static scanning process so they can work on making fixes sooner.
Applications in some languages, including .NET languages (over 25 percent of all enterprise applications), consist of multiple code “modules.” Veracode’s Accelerated Results feature provides results to developers as each module finishes scanning, providing developers with faster results turnaround and enabling them to start fixing issues sooner.
Making Developers’ Lives Easier
Ultimately, AppSec will not be effective going forward unless it aligns with development and supports the move toward more rapid development cycles.
Accelerated Results takes another step toward that alignment by allowing developers to get started fixing vulnerabilities sooner, compressing overall development cycles and leading to higher fix rates earlier in the SDLC.
For more details on securing code at DevOps speed, see 5 Principles for Securing DevOps.