Picture this: You’re hiking with your puppy in a beautiful recreational area. It's a narrow trail that casually twists around thick forest and bush. You're amazed by the smells, sights, and sounds: Wildflowers in bloom, young deer jumping out of the bush, warblers singing their very best songs to find a mate.
As your puppy proceeds on the trail and gets to the trees, time stops. All of a sudden, everything around you goes dead quiet. Now all you can hear is a menacing rattling sound that seems louder than anything else on the planet. You've never seen a rattlesnake in its environment before, but this sound needs no introduction.
As I recall this fresh memory on the trail, I can't help but think about how our everyday lives resemble a fun day out in nature, with cybersecurity threats lurking around only to appear in the most unexpected ways. Just like snake venom running through a victim's veins, a security breach can be fast to paralyze and cause devastating results for organizations.
As businesses hike their way into markets, they deliver technology solutions that are fit for purpose but may lack essential security controls or may have flawed designs when it comes to protecting customers.
Takeaways from your dangerous run-ins
It's one thing to have a plan when you get breached—and you should definitely have a plan and have layers of defense to make it more difficult for the adversary. But the ideal solution is always to reduce the number of exploitable security flaws and avoid the breach in the first place.
Since your business cannot stay out of the wild, you will expose yourself to threats. Here's what application security teams can learn from my run-in with a rattler.
Take the right steps before exposure and keep a high level of awareness as you take each step. This is where you need to look at embedding security in your system design, development, and operations, and especially in application development, since applications form the interaction layer of your business.
[ Special Coverage: SecureGuild Conference 2019 ]
Avoid run-ins with AST automation
While there are no silver bullets for not having security flaws, automating security testing and getting actionable security results definitely are the biggest steps toward avoiding security breaches. Finding and fixing security flaws as early as possible within the application lifecycle continues to be a validated approach for any development method.
To support application delivery at DevOps speed, security tests need to be automated, continuous, and baked into the app-creation process so developers can get and act on notifications about security issues before code is committed. This is according to James Rabon, senior product manager at Micro Focus Fortify, which he explained more about in a recent article.
"A traditional application security scan at the end of release as a gating measure is largely a practice of the past. You can't produce quality software at the pace of modern development without automated QA testing. The same is true with regards to security."
—James Rabon
What does security automation deliver? It can help development organizations catch common bugs and identify unexpected software behaviors and performance-hindering issues early in the lifecycle, Rabon said.
In fact, according to a survey by Sonatype last year, 57% of organizations with mature DevOps practices said they had already automated security testing throughout the software development lifecycle (SDLC) because of such benefits, compared to just 13% of organizations with no DevOps practice.
[ Also see: 32 application security stats that matter ]
Be safe on your next hike into the woods
I hope we can continue to coexist in harmony and avoid dangerous confrontations. The same goes for security breaches: The best way to handle them is to avoid them.
The first SecureGuild conference aims to help you with just that. It's an entire day packed with experts from all around the world sharing their knowledge and experience to help you succeed.
Keep learning
The future is security as code. Find out how DevSecOps gets you there with TechBeacon's Guide. Plus: See the SANS DevSecOps survey report for key insights for practitioners.
Get up to speed fast on the state of app sec testing with TechBeacon's Guide. Plus: Get Gartner's 2021 Magic Quadrant for AST.
Get a handle on the app sec tools landscape with TechBeacon's Guide to Application Security Tools 2021.
Download the free The Forrester Wave for Static Application Security Testing. Plus: Learn how a SAST-DAST combo can boost your security in this Webinar.
Understand the five reasons why API security needs access management.
Learn how to build an app sec strategy for the next decade, and spend a day in the life of an application security developer.
Build a modern app sec foundation with TechBeacon's Guide.