Keeping pace with agility

Thanks to DevOps, software development today is taking place at a speed that could hardly have been imagined ten years ago. Products reach market maturity much faster and customers can receive new builds almost daily. However, quality assurance is often overwhelmed by the rapid pace. As a result, faulty codes are sometimes used, opening the door to cybercrime. Checkmarx points out that developers are forced to work agilely and sometimes even deliver several new builds per day in order to keep up with the competition. People only look at the competitors and the result from agile software development, and security tends to be neglected a little. Now that agile development is the standard, the focus should be on security and quality assurance, because there are clearly many gaps in this area and thus it is already possible today to stand out from the competition with more secure products. So adapting security to the rapid pace of development is the current challenge. Advancing digitalisation and the Internet of Things make this focus necessary and logical. No one can afford to put security on the back burner or even neglect it.

According to Checkmarx's list, there are a number of things to consider in the area of DevSecOps that will make products more secure and thus more competitive. First of all, it is advisable to find any existing security vulnerabilities as early as possible. To do this, it is necessary to carry out analyses in the early stages of development with the help of statistical security tests, so-called SAST, and to detect errors already in the source code. At this stage, i.e. before the first test phase, the effort required to eliminate a bug is the lowest. Checkmarx is convinced that the integration of open source codes into security tests is mandatory. Although the developers must not assume that the open code is actually secure. However, through the method and through OSA (Open Source Analysis) solutions, developers can detect flaws in the open source code and thus react quickly to unsafe elements and remove or improve them.

Analysis of compiled code is important, according to Checkmarx. By means of an IAST, an interactive security analysis, it is possible to determine whether the compiled code is error-free. An IAST analysis can be easily automated and incorporated into the daily routine. It is fast and efficient and finds gaps in security during the final phase of development. The next piece of advice is aimed at staff training. The Checkmarx experts recommend training developers using interactive training platforms - during development. For example, training on how to recognise errors and on different error detection methods is ideal to be integrated into the daily development routine.
 
Ideally, analysis should be integrated throughout the software development process. Various analysis tools cover the entire development life cycle. Mandatory feedback loops are integrated, leading to further changes. With a little practice and the perfect timing, debugging and security testing can be integrated in a way that does not slow down the development process. Early detection of bugs even means that the actual testing phase can proceed more quickly. The goal is to provide a more secure product in the same amount of time.

The development team should always be at the centre of everything that happens, including security issues. It is best to involve the developers in software security from the very beginning. This is the only way to guarantee that the chosen solution will be accepted by the developers. The developers should have a say in deciding which platform is used, also for security. Here, however, the criterion of prioritisation is also decisive. In addition to identifying vulnerabilities, they should also be prioritised as part of the analysis. This makes it easier to distinguish between critical problems and false positives. A combination of OSA, IAST, SAST and machine learning can provide actionable recommendations and thus create real added value in troubleshooting. When selecting a security platform, it is important to ensure that it supports all common programming languages and development environments. Last but not least, easy handling is also important. Appropriate management tools are indispensable in order to be aware of the security situation at all times. Sorting information by project, by phase, chronologically, KPI- and topic-related is of great importance and is offered by the common tools. Finally, automation remains to be mentioned. Checkmarx advocates always automating security testing so that it can keep up with the speed of DevOps. Security testing thus runs continuously in the background and relieves the burden on developers, while providing them with important information for the next steps and giving them more time for creative tasks.

Author: IAPM internal