With the mass adoption of video conferencing applications like Zoom, new security and privacy issues have come to light. While Zoom is specifically under the spotlight right now, these issues likely stem from a broader technology trend that was underway over the last couple of years. The friction between security and speed of software development is quite well-known by now.
Over the past decade, technology has disrupted nearly every industry. Recognizing the strategic advantage of digital applications, organizations around the world have broadly adopted agile development & DevOps practices to bring those applications to market faster. The speed of digital innovation is a key success factor for nearly every organization. As a result, organizations are increasingly adopting automation to remove manual bottlenecks in the application development process.
Why you need security in the application development process
In the race to launch applications faster, organizations might lag when it comes to security and compliance.
Well-publicized breaches, such as Marriott’s recent disclosure of a second major breach, and heightened awareness of privacy practices have brought a tidal wave of new regulations and standards around the world. A few examples would be the General Data Protection Regulation (GDPR), the California Consumer Protection Act (CCPA), China’s Cybersecurity Law, the Payment Card Industry (PCI) Software Security Framework, and the Internet of Things Cybersecurity Improvement Act.
All these regulations and security standards impact the way organizations build applications.
Nearly all these frameworks require the involvement of experts to build security and privacy into the application development process. Processes and measures such as risk assessments, threat modeling, and secure coding can be driven only by security experts. In other words, these new frameworks mandate a security/privacy-by-design approach.
This is where the friction between security and development arises.
How organizations approach application security
Organizations are on an express train to automation — looking to eliminate manual processes entirely from their innovation cycle. Automated code testing has become the de facto standard for secure application development, while expert analysis is often viewed as optional.
This is what we call the “fast and risky” development approach — where organizations focus on building products faster and rely on reactive processes and patchwork to manage security later.
It achieves the goal of getting products to customers faster but puts the organization’s brand, customers’ data, and regulatory compliance at risk. Empirically, we can see nearly every non-regulated industry adopting the “fast and risky” approach to software development, while security and privacy by design are almost non-existent.
On the other hand, a small number of responsible — and usually heavily-regulated — companies employ all the necessary risk measures to inject security in the application development process. The collective overhead and understaffing because of these measures lead to a painful slowdown in innovation. These organizations can manage their security & privacy risk well, but they are increasing their competitive risk by not building products fast enough.
We call this approach “slow and safe.”
Balanced development automation for managing speed with security
In both the approaches explained above, you either compromise on security or struggle with the speed of development. That’s why you might get tempted to focus on your time to market and ignore security. But we all know that a single data breach can be devastating to your business.
In our experience as application security experts, we have found a new approach called balanced development automation that promotes security by design and automation of significant aspects of proactive security measures, such as threat modeling and risk assessments.
This approach enables collaboration between the security, development, and operations teams without slowing down the time to market. When security is built throughout the development process, the probability of security flaws at a later stage is much lower.
In a time when everyone is shifting left for security testing, tools that automate proactive security measures can really make a difference in the development process. In fact, as per our estimations, using balanced development automation tools can cut down the time to complete these manual processes by 80 percent or more. This clearly can be a competitive advantage for any organization as it will ensure fast and secure product development.
In case you want to learn more about our balanced development automation platform, SD Elements, you can get more information here.