Nikhil Gupta is a cybersecurity expert and the founder and CEO of ArmorCode, an award-winning DevSecOps platform.
Getty
In today’s digital world, businesses cannot afford to sit still. You have to always be innovating and moving onto the next version of the product—by waiting, you find yourself left behind by competitors.
This technological progress and competitive pressure has resulted in digital innovation cycles being accelerated. For example, software or new versions of applications used to be released once or twice a year, but it is not uncommon to see software releases every week, or even every day, in today’s agile world.
The challenge, however, is keeping an innovative mindset without putting your company at risk of a cyberattack.
Not Enough People, Not Enough Time
While developers are often tasked with driving innovation, the application security teams are the gatekeepers. Their job is to ensure that each new iteration and line of code does not put the broader enterprise at risk. The trouble is the AppSec team is usually significantly outnumbered by the developers.
The speed of iteration, paired with this disparity in headcount means that many businesses ship code that isn’t properly vetted for security. As you can imagine, the challenge only worsens as development teams continue to push code faster and faster, leaving the security teams unable to catch up. Then, for each problem in code that the security teams find, they must then work to find a patch or to fix the code, all while the code that has not been checked continues to pile up.
To make matters worse, the connection between the development, operations and security teams is anything but harmonious. Each department typically works in their own siloed teams, with little to no cross-communication between the broader team. Because teams aren’t working together, they often have their own unique processes and tools furthering the divide. This disconnect is not only a major problem in itself for secure applications, but it can also create additional problems along the development pipeline.
The cost of detecting and fixing software issues increases exponentially as the software moves through its life cycle. According to a study done by National Institute of Standards and Technology, “For errors introduced in the coding/unit testing stage, respondents indicated that it was twice as costly to fix the error if it was not found until the integration phase and five times as costly if it was not detected until post-product release.” Also, once the software is released, enterprises need to factor in cost from business disruption, reputational damage and service level agreement violations.
How Do We Fix This?
This cavalcade of challenges results in a business that is more and more vulnerable to attack. But is there anything we can do about it? Yes, but we have to change how we approach the problem. We can’t magically solve for the imbalance between the developer and AppSec teams. Slowing down or bottlenecking the development process isn’t plausible in a competitive business environment.
The solution is to unite the teams and change three processes into one—application, security and operations.
Application security is most effective and efficient when there is both a systematic and interconnected method of communication, along with shared processes between the application development, security and operations teams. This connection must extend all the way from development to deployment to production and requires us to think of development in an entirely new way.
This is a fundamental change to how business is done, and it will require a change not only in how teams interoperate but also how they evaluate their interaction with the various tools that have been put in place. Software testing and scanning tools, pipeline managers, ticketing and communications systems, threat intelligence modeling and infrastructure alerting must be integrated as closely as possible.
This integration is particularly important to help security teams manage the sheer number of alerts thrown at them by various security tools. Development teams are better served when they can see the most critical issues that must be fixed immediately, instead of having to manually weed through thousands of alerts, while many of which are not critical. In a world where software is released on a weekly or even daily basis, security teams need to check for continuous compliance and not just every few months or, at worse, once a year. Ultimately, the key is to erase the mindset that first we develop and then we secure.
When security is baked into the process, we can then adequately protect our businesses from zero-day attacks. When the cyberattack involving SolarWinds and other organizations happened, many people said that it was a “once in a decade” phenomenon, yet Log4j rocked the business world a year later. The important lesson to learn from these attacks is the critical importance of having your AppSec and operations streamlined so that you will be able to easily see the impact on the organization—within minutes, not days or weeks—whenever a zero-day attack does occur, and you can then begin addressing the issues.
By building our businesses differently and properly combining development, security and operations, we can limit vulnerability and better protect from breaches. Each year, it seems that there are more cyberattacks than the previous—and this will not change in the foreseeable future—so we need to reevaluate how we operate.
Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology executives. Do I qualify?
