Traditional approaches to application security (AppSec) rely on a patchwork of disconnected tools and processes that add high levels of friction to the modern software development life cycle (SDLC). A unified AppSec platform provides continuous and comprehensive security across the life cycle, enabling organizations to accelerate the release of stronger software while easing the burden of IT budgets and security staffing.
Stuck in the AppSec Tool Swamp
The idea that software needs to be secured and protected is not a new one. As far back as 1979, there were versions of Lint that looked for security issues in code. After around 40 years, AppSec should have identified and codified effective ways to help businesses develop and deploy secure software. Unfortunately, insufficient progress has been made. Despite the evolution of AppSec tools and practices to date, the average number of security vulnerabilities per application has remained unchanged for years—with 26.7 serious problems on average in every release. And with over 100 billion lines of new code being written each year, that’s a tremendous amount of vulnerable software out there in the wild.
When combined with the ever-increasing number of cyberattacks, the implications are serious. For example, per Gartner, “vulnerabilities, and the exploitation of them, are still the root cause of most information security breaches today.” Per the Ponemon Institute, the cost of cyber crime increased 11% from 2018 to 2019—with organizations spending an average of $13 million to deal with the cost and consequences of cyberattacks.
To combat this situation, many organizations simply stack up multiple tools and hope they do the job. But many of these solutions are disconnected, siloed, and specific to different users—a “tool swamp” that makes identifying and fixing vulnerabilities an inefficient, expensive, and time-consuming endeavor.
The tool swamp adds drag and complexity to both security operations and development pipelines, requires multiple teams of experts to interpret results, and frustrates developers and puts them at odds with security. This might be one of the reasons why between 31% and 48% of firms feel security is a major constraint on delivering software quickly. Considering the pace at which developers work these days, particularly those engaged in Agile development and DevOps, there is no way that traditional security tools and processes can keep up.
To address these problems, organizations need an approach to AppSec that aligns the objectives of development, security, and operations. DevSecOps is the promise and practice of bringing security to the “DevOps Party.” It aims to weave security into modern software development and information technology principles and practices that aim to shorten the software life cycle and provide continuous delivery with high quality.
DevSecOps encourages AppSec approaches that shift both left and right across the SDLC. It encourages “systems thinking” by promoting alignment and collaboration between developers, release engineers, security teams, and operations teams around shared quality, agility, and security goals. As a result, it promotes a unified, and unifying, approach to AppSec.
Continuous AppSec Across the Entire SDLC
In support of achieving a functional DevSecOps practice, a security instrumentation-based AppSec platform provides continuous, unified application security across the SDLC. Security instrumentation passively monitors applications from the inside, as they are used. It lights up runtime code paths like an X-ray or fluoroscope, providing code-level details for both custom code and libraries. It also unifies AppSec stakeholders in the following ways:
- Development teams get immediate feedback on code-level vulnerabilities in their native tools and processes, with AppSec woven into integrated development environments (IDEs), ChatOps, and ticketing systems. Developers see runtime proof of vulnerabilities that they can fix, as they are working, even before they check in code.