Development vs. Security: Make It Stop

This article was written from a recent webinar, Development vs. Security: Make It Stop, from Security Journey's CMO and Security Evangelist, Amy Baker. You can watch the recording here. 

We are currently in an application security dilemma that costs organizations millions of dollars annually. 

What are the causes of the AppSec Dilemma?  

Several factors contribute to the AppSec Dilemma, including:  

• Ever-Evolving Security Concerns - 59% increase in new vulnerabilities from 2021 – 2022. source 
• Growing Demands on Developers – 51% of developers have 100x the volume of code vs. ten years ago. source  
• Lack of Security Training - 0 of the top 50 university coding programs require secure coding training. source  
• Increasing Regulatory Pressures - New Whitehouse Cybersecurity Strategy shifts liability for software products and services to help promote secure development practices. 

The AppSec Dilemma is balancing the need for secure applications with the need to develop and deploy applications quickly. This is a complex challenge because security and speed are often seen as being at odds.  

Development teams want to release faster.
Security teams want to reduce vulnerabilities. 

Read More: Feeling Exhausted? The AppSec Dilemma Could Be to Blame 

Increasing Pressures on Development Leaders 

Development leaders and teams are facing mounting pressures, including rising vulnerabilities and the need for faster app releases. These challenges can hinder optimal performance and leave organizations feeling ill-equipped. But by working collaboratively with security teams and finding a balance between roles, both teams can contribute to the project's overall success. 

Continuing the current status quo of pressured development teams with little security training working in an ever-growing field of new vulnerabilities can severely impact your business through financial losses, damaged reputation, and liabilities. 

As a development leader, there are already so many challenges to overcome. The last thing you need is a security leader interrupting your workflow and adding more issues to your plate. However, this doesn't have to be the case.  

With the right approach and collaboration, security and development teams can work together seamlessly to ensure that all bases are covered and nothing falls through the cracks. It's all about communication, collaboration, and creating secure applications. 

It's time to bridge the divide between security and development teams to create a more productive software development lifecycle. 

Read More: Bridging the Security and Development Divide 

How to Change the Focus on People and Process 

Enterprise Management Associates, Inc. (EMA) surveyed 129 professionals across multiple industry verticals, seeking to understand how organizations tackle the difficult challenge of developing secure software applications.   

EMA also found that as many as 70% of organizations are missing critical security steps in their software development lifecycle (SDLC), highlighting a struggle with a 'shift-left' approach.  

"We have seen a worrying increase in new vulnerabilities over the last several years. Unfortunately, while 99% of organizations have security awareness training programs, this approach does not go far enough for those in security-critical roles like developers," says Amy Baker, Security Education Evangelist at Security Journey.  

Traditional solutions are tech-oriented, but the problem is not going away. Your team doesn't need another tool; you need a long-term culture solution. 

You need to focus on three main pillars: people, process, and technology: 

• People - This includes developers, testers, security engineers, and other stakeholders. It is essential to have a team of people with the right skills and experience to ensure that applications are secure.  
• Process - This includes things like threat modeling, code reviews, and secure coding training. It is important to have a well-defined process to ensure that applications are regularly tested and updated to fix security vulnerabilities.  
• Technology -This includes things like firewalls, intrusion detection systems, and code scanning tools. Using the right tools and technologies to protect applications from attacks is vital. 

After reviewing the data, EMA believes the best approach to secure software development is a combination of code reviews (process), code scanning tools (technology), and a stronger emphasis on continuous, third-party training (people).  

TO READ ALL INSIGHTS FROM THE EMA SECURE CODING PRACTICES RESEARCH,
CLICK TO DOWNLOAD THE FULL PAPER.  

ROI Of Secure Coding Training 

When looking at how your organization handles threats, there are two approaches:   

1. Remediating vulnerabilities after production  
2. Preventing vulnerabilities during production  

Each of these approaches has its own cost; let's take a look at the calculations. 

Cost to Remediate Vulnerabilities  

It often takes up to 8 months for a vulnerability to be detected, prioritized, and remediated – making your application a sitting duck. When your team learns of a vulnerability, you must act quickly to remediate the problem.  

Let's look at the calculations:  

• A team is faced with 5,000 vulnerabilities  
• They fix at least 30% of the vulnerabilities = 1,500 vulnerabilities to fix  
• 1,500 vulnerabilities @ 7 hours each = 10,500 hours of developer work  
• 10,500 hours of developer work @ $72/ hour* = $757,215  
• The total average cost to remediate vulnerabilities is $757,215 annually.  

* This assumes a $150k salary.  

Cost to Prevent Vulnerabilities 

While it may take months to remediate a vulnerability, you would probably want to avoid having your team redo completed work – this means writing secure code from the start.  

There are many ways to train application security at your organization, from in-house program development to third-party platforms like Security Journey's AppSec Training, created by industry professionals.   

Let's look at the calculations for a team of 100 developers using average pricing quotes:  

• Average cost of the education platform = $36,000  
• Time to complete training - 12 hours per year @ $72/hour = $86,400    
• The total average cost to train 100 developers on application security is $122,400 annually.  

 Now it's time to answer the key question: What Is The ROI On Application Security Training?  

Taking our calculations from above:  

• The total average cost to remediate vulnerabilities is $757,215 annually.  
• The total average cost to train 100 developers on application security is $122,400 annually.  

Now let's do the calculation for your ROI On Application Security Training:  

This calculation shows that AppSec Education has a 5x ROI, assuming you can prevent the same 30% of vulnerabilities you would want to remediate each year. 

It's Time to Mend the Fences 

Security Journey bridges the gap for faster, more secure development by taking a targeted, vulnerability-driven approach to application security education. With our AppSec Education Platform, you provide your organization with an entire suite of application security training solutions. 

We start with foundational content to ensure that all participants in the SDLC understand basic security concepts and the significance of implementing them to maintain the security of your applications and products.