Hacking

AppSec Bites Part 1: Balancing Speed and Thorough AppSec Coverage

A joint blog post from Veracode and ThreadFix

In today???s world, speed wins. Just take Amazon for example. You can place an order with the click of a button and have it delivered to your door in under twenty-four hours. Retailers that can???t compete with Amazon???s speed are falling behind. The same level of speed and efficiency is expected with technology. Companies are in a race to deliver new and innovative technology first. But aside from speed, companies are also concerned about the security of their software. It does you no good to release new software first only to have it compromised.

So therein lies the dilemma ??ヲ How do you release software fast while still implementing a comprehensive application security (AppSec) program? One of the most widely recognized solutions is moving security practices left. What that means is that instead of implementing AppSec scans right before production, which can be time-consuming, many organizations are starting their scans during the development phase.

But not every scan type can be conducted early in the software development lifecycle. Scans like penetration tests or dynamic analysis are best performed in runtime. Does that mean you should neglect dynamic analysis or penetration tests? In part 1 of the AppSec Bites podcast series, Tim Jarrett, Director of Product Management at Veracode, argues ???no.??? Dynamic analysis and penetration tests find flaws that earlier scans ??? like static analysis ??? can???t find. So, it???s worth taking a little extra time to run those scans.

What are some ways you can save time on AppSec scans? If you have scans that can be effectively implemented early, implement them early. If you don???t currently automate your AppSec scans, automate them. And lastly, consider leveraging Veracode???s sandbox capabilities for developers. As Kyle Pippin, Director of Product Management at ThreadFix states, ???The sandbox allows developers to get hands-on with risks before they get promoted to the security team. It enables developers to fix the low-hanging fruit.???

So, the overall takeaway is that speed and security are a balancing act. You need to consider the risks involved with your application, set expectations with the developers on what flaws should be prioritized, and decide on what scan types make sense. Weigh the tradeoff of time and security for each application and follow best practices for speed to market, like shifting security left as much as possible, automating scans, and leveraging developer sandboxes.

For more information on finding the balance between speed and AppSec coverage, check out part 1 of our recent podcast series with ThreadFix.

Application Security Research, News, and Education Blog

Are you looking for products for hacking, cybersecurity, and penetration testing? Do you need to cleanse your smartphone, PC, or website from viruses and malware? Do you need to track down a person or recover urgent information? Do you need to regain control of an account, email, or password that has been stolen from you? Interested in purchasing pre-configured devices to easily and quickly experiment with hacking techniques? Do you have specific requirements in software or hardware? We can assist you!

Contact us immediately for immediate assistance: provide us with details via email or WhatsApp about the type of support you need, and we will respond you promptly!

Fill out and submit the form below to send us an immediate support request

Write your email address here

Write here how we can help you - we provide immediate support for all your needs!

chevron_left
chevron_right
Send us a WhatsApp!