The requirement for software security is putting greater demands on organizations. Security initiatives often start modestly; perhaps hiring external pen testers to find security issues in a web application. As security programs mature, the security toolbox gets larger and can include Static Analysis tools and services to scan code earlier in the Software Development Lifecycle (SDLC), Source Composition Analysis scanners to identify open source components with known vulnerabilities, and Interactive Analysis to identify vulnerabilities during normal functional testing.
While these tools will certainly find vulnerabilities, they can also meet resistance from development teams that are under pressure to deliver specific functionality by a specific date. It’s not that developers don’t care about security; nobody wants to build software that can be hacked. Instead, the concern is that these tools slow down development in an environment where going fast is valued.
The reason these tools slow down developers is that, in many organizations, they are the sole method of identifying vulnerabilities, and they only find them after the code is committed. Developers want to prevent bugs – not find them later.
There is a better way. Smart security teams are working with engineering to go fast and stay safe by anticipating threats and building controls to mitigate risk into the code. You can learn more about this by reading our article titled "Why scanning your code is not enough".