How DevOps and Application Security Have Changed

There's a flood with more than one million new vulnerabilities are being created every month.



I had the opportunity to speak with Manish Gupta, CEO of ShiftLeft about how DevOps and application security (AppSec) have changed as developers are working from home.


Since the Covid-19 pandemic lock-down, everything on-premises has become difficult. Everyone is working remotely. IT environments and data are less secure. Developers were embracing the cloud before the lock-down and are very comfortable working in the cloud during the pandemic. Post Covid-19, it will be even more difficult for companies to attract good developers if they have not evolved legacy platforms to the cloud.


The pandemic has accelerated technology adoption in financial services, online retail, and technology. Travel and leisure and certain segments of healthcare are revising or putting technology investments on hold. Macy's is reallocating technology to focus on e-commerce while deemphasizing brick and mortar.


As organizations embrace the cloud, there is an increased emphasis on security and a desire to learn how to use cloud-native security across all cloud platforms. It’s important to analyze and develop secure software since it’s no longer operating behind a firewall. While the software needs to be accessible to anyone, it also needs to be secure.


The rapid adoption of the cloud and AppSec is a key priority for many companies. There’s a need to elevate the security of the OWASP top-10 and new cloud-native environments. Helping developers find cloud-centric vulnerabilities with the same level of accuracy and speed is important. More than one billion lines of code are being written every month. There is a vulnerability in every 1,000 lines of code. As such, there are more than one million new vulnerabilities every month. It’s critical to put together the right processes and workflow in order to develop better, more secure code.


Now is the time for the enterprise to focus on AppSec. The most important element of which is operationalizing security into workflows so that it does not hinder developer productivity. It must be easy for developers to use security tools. Legacy technology is hard and 70% of security issues do not get fixed. As such, enterprises need to put developers first when choosing and implementing an AppSec solution.


How to build a solution for developers?

Agile modern software development tools are purpose-built to fit into the modern software development lifecycle with fast CI/CD pipelines to provide the minimum disruption to developers. As soon as the developers' code gets compiled, it needs to be tested. Developers do not want to wait for results. Security mistakes need to be identified and presented the same way coding mistakes are identified and presented. It needs to be fast and accurate. False positives cause the developer to lose trust in the tool.


ShiftLeft is scanning and analyzing code 40X faster and 3X more accurately than legacy static-code analysis. The solution analyzes every pull request (PR) or every build so that developers never have to wait for security results. It also eliminates false positives by using runtime information to confirm vulnerabilities by eliminating reachability issues.


Speed is not the only goal of code development. Conscientious developers are concerned with fixing vulnerabilities as well. By providing developers with fast and accurate results, they are able to deliver vulnerability-free code faster.



Drop Me a Line, Let Me Know What You Think

© 2020 by Tom Smith | ctsmithiii@gmail.com | @ctsmithiii