This is the third of a six-part blog series that highlights findings from a new Mend.io white paper, Five Principles of Modern Application Security Programs. Be sure to look out for our upcoming blogs on each of the five principles.
Most organizations are aware of the benefits of shifting left, or testing earlier in the application development cycle, including things like the ability to detect and fix bugs before production, increased reliability in testing, improved unity between developers and testers, faster time to market, and cost savings.
But organizations also are aware of the increases in cyberattacks, especially those aimed at applications. In fact, according to the Mend.io Open Source Risk Report, software vulnerabilities are the top attack vector in today’s world.
Meanwhile, the average enterprise deploys 464 custom applications — and they’re expected to deploy an additional 37 new custom applications over the next year. The result is that the average number of apps tested per quarter has more than tripled, adding additional stress to already overtaxed IT and security teams. And it certainly doesn’t help alleviate stress when application security (AppSec) is a separate workflow, which is the case for most organizations.
Without question, these trends underscore the need to build a build a modern AppSec program designed to support demanding development cycles while also ensuring application security.
For such programs to be most effective, organizations need to ensure they’re shifting left intelligently to ensure that security is a part of every step in the software development lifecycle (SDLC), from user stories and secure code reviews to threat modeling and secure design reviews.
So what does that mean at a practical level? Following are several recommendations for shifting left intelligently: