We're beginning to see a growing number of articles appearing in the business press that address the challenges with securing software applications that are being built via an agile or DevOps methodology. In the past, software would stick to monthly or quarterly updates to push out patches. That's no longer practical when code is continuously under revision.
What this always-on app lifestyle means in turn (at the back end) is that software application developers have to work in a new cadence that is often described as Continuous with a capital C.
Adrian Bridgewater outlines what this means for application security teams in his latest Forbes article, "Why The Application Travelator Needs More Handrails."
The software industry thinks it has an answer. Below is an excerpt:
"...The state of the nation is that 111 billion lines of new software code will be written this year alone and every line of code an organization writes makes it easier to attack.
"Unfortunately, static analysis, dynamic analysis and web application firewalls have all failed to keep pace with modern software development practices. CTO and cofounder at Contrast Security Jeff Williams says that we need to turn security into code itself.
“Imagine it was easy to turn security requirements, secure coding guidelines, security policies, security architecture and operational security rules into code," suggests Williams. "Teams could run these checks as they are building software to get instant feedback, accelerating development and saving money. Later in the process, teams can use these checks to ensure compliance before moving to production, without involving experts and slowing the process. Even in production, these same tests can ‘self-test’ and ‘self-protect’ running applications for vulnerabilities and attacks. All we need is a powerful platform for expressing security as code and we can radically change the way software is built and secured."
"The suggestion then is that because code is released continuously, security must also work continuously. Feedback has to be instant and accurate. Developers should get instant feedback on their code. Security should be confirmed before every software release..."