- Time Budgets - This is the number one issue that comes up in my experience – security testing is performed too late in the release cycle, and the product managers have not budgeted adequate time for the test and the remediation activities
- Governance - The corporate security team may have the mandate to perform security testing – but they don’t have the mandate to stop a release of vulnerable code
- Financial Budgets - The security testing budget may have only included the security test itself – not any remediation assistance or re-testing
- Training - Developers try and fix security flaws, but are unable to do so before releasing to production
- Poor Results Quality - The security tester or platform may have found security flaws, but not clearly explained how to replicate them– developers may not even know how to replicate the test to check if their fix works
None of these are exactly technical problems – these are management issues. IT leadership and security and development teams can take a few strategies to ensure that application security testing leads to effective remediation:
Budget Security Testing and Remediation into Your SDLC
- Whether Agile or Waterfall – security testing needs to be an explicit part of the release schedule so that expectations around testing and remediation are set properly at the beginning of a project
Streamline the Testing and Re-testing Process
- If you’re using an automated platform (like Veracode) – allow the development teams to submit their own tests and to re-test them without needing to involve outside teams
- If working with manual penetration testers - coordinate closely to ensure that re-testing is possible with your schedule requirements - and make re-testing part of the pen test project budget
Developer Education
- Train your development teams on secure coding practices!
- Having a “security focal” developer is a model that works well – a senior developer who can answer other team members’ security questions
Empower Security Teams
- Give information security teams the final call if an application can be released
- Security teams aren’t “getting in the way” – they’re trying to protect users and the company brand
Veracode helps support these activities in several ways. Our self-service testing platform makes it simple for developers to rescan applications. Additionally, our APIs can integrate with build platforms, simplifying the testing process even further. Our security consulting team is available to all customers to provide technical remediation support for flaws identified in the testing process. And our program management team helps to build effective application security testing processes. Application security testing without a clear remediation plan can be, in some ways, worse than no testing at all. Testing without a remediation plan shows that the organization tried to find security flaws, but didn’t follow the process all of the way through. That is the type of mistake that can lead to some major finger pointing and potential liability in the case of a security breach. And while each organization is different, what consistently works in most cases is to empower both the security and development teams to take charge of their security testing processes, with the clear goal in mind of fixing the identified flaws. Nobody wants to release flawed code, but sometimes teams are pressured to do just that. Making security testing a seamless part of the development cycle will improve the overall security of the business, leading to happier customers, investors, and - developers!