At Detectify, we proudly maintain an AppSec perspective when it comes to how we handle security. But what does this mean exactly? In short, we think a lot about how both AppSec teams and developers will experience our platform and products.
We know that today’s developers are feeling the pressure to get new code out to production to meet the demands of the business. These business demands have increased the need for AppSec tooling to leverage automation whenever possible.
Now, the challenge for security teams is to adapt their security methods to the developer experience, which is no small feat.
While some security teams advocate for developers to shift security testing earlier in development, the expected value (such as fewer vulnerabilities in production) hasn’t delivered on freeing up resources for developers or security teams.
So, why have developers begun to ship more frequently to production? How do more frequent releases relate to how AppSec teams prioritize and remediate threats more effectively?
Development teams’ shift away from annual or bi-annual releases
Around 2005, traditional companies began shifting to more frequent releases. While the vast majority of companies have adopted more frequent releases, SaaS companies are leading the pack by pushing new releases to production at least weekly.
This shift toward more frequent releases came as a result of many companies looking to adopt new methodologies to deliver customer value faster and more efficiently.
What are the benefits of shorter release cycles?
Developers don’t want to build something that nobody ever uses — this makes the idea of shorter release cycles compelling, particularly since it gives developers the opportunity to prove the impact of a new feature or capability that they’ve worked on.
In cases where developers apply major adjustments to fill a product gap (such as a user need, functionality improvements, and so on), this can lead to an organization having to accept a much higher risk of overshooting expectations resulting in friction both within development and the customer. This, in turn, slows the development down and delays how quickly customers can experience the value of a product.
Then, there’s the link between shorter release cycles and remediation speed to take into account. In simple terms, when development teams are faced with long feedback loops, they take more risks because they’re forced to make blind decisions.
When AppSec teams leverage remediation time reduction as a means to collaborate with development teams, they can more quickly uncover what’s getting in their way of resolving threats.
Remediation speed has become increasingly indicative of an effective AppSec program
Changes in development practices and expanding attack surfaces have made it necessary for today’s security teams to take a layered approach to security testing.
True DevSecOps requires shifting both left and right – in other words, testing in both staging and production environments continuously in real-time to assess the risks of things that you didn’t know existed.
To respond to this need, it’s necessary for teams to ditch measuring success by the number of new vulnerabilities, and in its place, to examine remediation speed. Whether you choose to measure in weeks, days, or hours, the targets that you set will vary depending on where you’re starting from today.
In any case, the important aspect of prioritizing remediation speed is that it shifts a security culture from trying to achieve a perfect state of zero vulnerabilities in production towards becoming one that works to resolve severe threats through alignment on what’s important and accountability for getting them resolved.
Get more advice about today’s challenges surrounding development and security team experience
The experiences and achievements of both security and development teams are a critical consideration factor in how quickly an organization can identify and resolve vulnerabilities and risks.
In our newest e-book, Deep dive: How EASM is outpacing DAST for AppSec teams, we’ll tell you how EASM is poised to help AppSec teams prioritize and remediate threats more effectively.
Here are a few key topics that we cover in the e-book:
- The prioritization problem AppSec teams face with security scoring systems
- How EASM helps accelerate remediation efforts
- How traditional tools aren’t helping AppSec teams achieve their goals and what these teams can do about it with the help of EASM