Agility – Why it is essential to include the issue of security.

Thanks to DevOps, software development today takes place at a speed that could hardly have been imagined ten years ago. As a result, products reach market maturity much faster. Customers can receive new builds almost daily. However, quality assurance is often overwhelmed by the rapid pace. One possible consequence is the emergence of faulty codes that open the door to cybercrime. Checkmarx points out that developers are forced to work agilely. Sometimes they even must deliver several new builds per day to keep up with the competition.
 
Also, people often only look at the competitors and the results from agile software development. Security is often neglected a little. Especially in times of agile development, the focus should be on security and quality assurance. If there were no more gaps in these two areas, it would pave the way for more secure products, which in turn would clearly set you apart from the competition. The goal is therefore to adapt security to the rapid pace of development. Advancing digitalisation and the Internet of Things make this focus necessary and logical. No one can afford to put this topic on the back burner or even neglect it.

According to the Checkmarx list, there is a lot to consider in the area of DevSecOps. It names which factors make products more secure and thus also more competitive. First of all, it is advisable to find any existing security gaps as early as possible. To do this, it is necessary to carry out analyses in the early stages of development with the help of statistical security tests, so-called SASTs, and to detect errors already in the source code. At this stage, i.e. before the first test phase, the effort required to eliminate a bug is the lowest. Checkmarx is convinced that the inclusion of open source codes in the security tests is mandatory. In doing so, developers must not assume that the open code is actually secure. However, by using this method and OSA (Open Source Analysis) solutions, developers can detect bugs in the open source code and quickly react to unsafe elements and remove or improve them. 

The analysis of the compiled code is important, according to Checkmarx. By means of an IAST, an interactive security analysis, it can be determined whether the compiled code is error-free. An IAST analysis can be easily automated and incorporated into the daily routine. It finds gaps in security during the final phase of development and is fast and efficient. The next piece of advice is aimed at staff training. The experts at Checkmarx recommend that developers be trained using interactive training platforms, and that this be done during the development phase. For example, training on different error detection methods can be integrated into the daily development routine.
Ideally, analysis should be integrated throughout the software development process. Various analysis tools cover the entire development life cycle. Mandatory feedback loops are integrated. With a bit of practice and perfect timing, debugging and security testing can be integrated in a way that does not slow down the development process. Early detection of bugs even means that the actual testing phase can proceed more quickly. The goal is always a more secure product that can be made available in the same amount of time.

The development team should always be at the centre of everything that happens, including security issues. Thus, it is best to involve the developers in the topic of software security from the very beginning. The development team should be able to co-decide which platform is used, also for security. This is the only way to guarantee that the chosen solution will meet with acceptance. In addition, the criterion of prioritisation is also decisive here. In addition to identifying vulnerabilities, these should also be prioritised as part of the analysis. This facilitates the differentiation between critical problems and false positives. A combination of OSA, IAST, SAST and machine learning can provide actionable recommendations and thus create real added value in troubleshooting. When selecting a security platform, it is important to ensure that it supports all common programming languages and development environments. Easy handling is also important. Appropriate management tools are essential to get an overview of the security situation. Sorting information by projects, by phases, chronologically, KPI- and topic-related is of great importance and is offered by the common tools. Finally, automation remains to be mentioned. Checkmarx advocates always automating security testing so that it can keep up with the speed of DevOps. Security testing thus runs continuously in the background and relieves the burden on developers while providing them with important information for the next steps. This gives developers more time for creative tasks.

Author: IAPM internal