Adapt or get left behind: Why 'shift everywhere' is the new imperative for application security
Digital transformation is now an integral part of the success story of every modern organization. However, there is ever greater pressure on developers to speed up release cycles as the software on which organizations rely. This is the foundation for revenue growth, competitive advantage and long terms business success so the impetus to reduce lifecycles is built on commercial necessity.
Organizations want to be the first to market with the latest and greatest software which can mean that risks are introduced as the pressure to meet a deadline surpasses the need to ensure that all code is free from any vulnerabilities.
However, speed to market should not come at the expense of application security. Adopting a cutting-edge AppSec approach allows organizations to drive revenue growth while simultaneously mitigating cybersecurity risk, making it a critical component of security strategies.
Organizations must reframe their AppSec approach by taking a holistic look at every stage of the software development lifecycles to identify gaps in security. To this end, it’s not only about a 'shift left' approach and not just 'shifting right'. Application security should be in all elements and phases of the application development lifecycle, an approach referred to as 'shifting everywhere.'
Modern Development practices and risks
In today’s hyper-digitized world, code is powering everything from cars to air conditioning units to invoicing systems. Every digital product is built on several machine-readable languages. Unfortunately, this extensively used code is often the first point of vulnerability for any threat. In fact, from our own research, 88 percent of organizations experienced at least one breach in the past 12 months, which was a direct result of a vulnerable application they developed in-house. With more numerous and complex applications come increased security risks.
Additionally, modern application development and cloud-native approaches contribute to the risk factors. In fact, these approaches rely heavily on open source, third-party packages and components, cloud resources, IaC, containers, and application programming interfaces (APIs) since these are foundational building blocks of modern software. These also significantly increase the potential attack surface.
However, most vulnerabilities come from the internal code of the applications, which provide a back door for cyber attacks. Our survey found that 50 percent to 74 percent of the applications a company develops and deploys contain open source and third-party libraries, packages and components.
Application Security is a business imperative
AppSec supports business and brand growth by securing processes and products as digital applications play a crucial role in generating income, creating competitive differentiation for most organizations. In fact, in our recent survey, 75 percent of CISOs acknowledged that the predominant source of their company's business or revenue was delivered through the very applications they were tasked with securing.
At the same time, fast-moving markets typically rely on short release cycles, as companies need to be first to market with the latest software to drive new and reoccurring revenue. This race for developers to promptly release new services and products has further added to the pressures and increased the risk. Nearly 40 percent of AppSec managers and software developers reported that vulnerable code was deployed into production "to meet a business, feature, or security-related deadline."
Taking a step in the right direction
It is as crucial to build security into all stages of development to ensure that products can meet these faster development lifecycles without compromising security. Emphasizing AppSec across all digital initiatives and nurturing a security-first culture can help to ensure that developers prioritize security at every stage of the software development cycle. It is essential to make AppSec easy to implement to decrease the likelihood of vulnerabilities being discovered later, as remediation can be costly.
Businesses should also integrate AppSec into the development operations (DevOps) pipeline to ensure that security is an integral part of the development project rather than an afterthought. This can help flag and fix potential high-risk vulnerabilities earlier and reduce the cost associated with late-stage remediation efforts. This will ultimately help companies boost their bottom lines and increase stakeholder value.
A 'Shift Everywhere' approach to AppSec adds security to every application, version, and location before, during and after deployment. Businesses must adopt a 'Shift Everywhere' mindset and invest in tools for learning and development. These tools must offer sufficient resources and opportunities for the teams to stay abreast of the latest security technologies and best practices. This will provide a competitive edge to the company and drive innovation.
Modern development processes and the drive to digital transformation require a new approach to application security. This reflects the growing need for AppSec to be everywhere, and at every stage, so that risks are identified as early as possible. In this way organizations can reap the benefits of truly agile development at speed, whilst reducing risk and future-proofing apps from whatever the changing threat landscape may hold for us.
Image Credit: Wayne Williams
Kobi Tzruya is Chief R7D Officer at Checkmarx.