Balancing Speed With Security in Application Development

February 23, 2020 Kevin Delaney

building security into application development

Building security into the development process

In order to be more agile and respond to changes quickly, business leaders demand faster deployments of software to remain competitive. As a result, organizations are implementing various Agile software development methodologies. While some methodologies may work better than others, the question is whether or not organizations are delivering software with enough security built-in.

The traditional approach to implementing security in the Software Development Life Cycle (SDLC) results in software being reviewed at the very end and then recycled back into the SDLC to address security vulnerabilities — a costly and time-consuming approach.

It also means software delivery timelines are often compromised, causing distress to the business and the executive who wants to move more responsibly.

Faster deployments, but lack of security

According to a survey by 451 Research of 350 enterprise IT decision-makers in the U.S. and Europe, it was found that about half of the organizations achieved an increased speed to market through CI/CD but failed to address application security deficiencies. It appears that going for speed in the CI/CD pipeline is often done without security in mind.

That leads to more vulnerabilities in the code and increased time and effort to remediate deficiencies (if at all).

DevSecOps advocates that security should be built into each phase of the DevOps pipeline, rather than being applied only to a finished application. This allows the business to manage timelines for applications with built-in security and compliance. The challenge is ensuring that everyone along the SDLC is responsible for security and compliance requirements — and that the business can obtain traceable assurance against software security risks.

Ensuring security with fast development

Considering that most regulatory requirements are not designed to be easily integrated into the software an organization develops, and audits for compliance are only done periodically — it is critical that security be a part of the development pipeline for delivering secure code on time.

An important part of all approaches is to provide the development team with thorough security training and clear instructions on recognizing and remediating flaws appropriately. It’s also important that the most critical vulnerabilities are considered as they have the highest risk of exploitation. Add to this complexity the fact that not all applications are rated equally in terms of risk across an organization.

If organizations build security into the development process from the beginning, they will be able to ensure product security as well as manage time to market as there will be a significant reduction in vulnerabilities.

Learn how just-in-time training helps developers build software quickly and embed security throughout.​

About the Author

Kevin Delaney is the Director of Solutions Engineering at Security Compass. A lifelong passionate technologist, he has previously appeared on Bloomberg, CBC, CTV, CP24, and BNN to share his insights and commentary on current topics in the information security space. Kevin holds a Bachelor's degree from UOIT in Information Technology, specializing in Networking & Security.

More Content by Kevin Delaney
Previous Flipbook
Why Hackers Target Insurance Companies
Why Hackers Target Insurance Companies

Next Article
Why Businesses Need to Go Fast and Stay Safe
Why Businesses Need to Go Fast and Stay Safe

Learn why organizations who are bringing products to market faster are automating balanced development at t...

Find out how our solution builds security and compliance into software.

Get a Free Demo