In the highly competitive landscape of software development, speed seems to always be the driving force behind the release of new apps. However, releasing a new app in record time, followed by a regular and consistent stream of updates, often comes at the cost of security in development.
This type of challenge tends to arise whenever there’s poor communication between the software development team and the brand. The business-oriented portion of the brand prioritizes marketing, strict release dates, and beating the competition, leaving developers to scramble for time to implement the necessary security measures.
The Overbearing Incentivisation of Speed
“Speed is the new currency of business,” said the Chairman and CEO of Salesforce Marc R. Benioff, to emphasize the importance of timing in a rapidly-evolving tech industry. The rate of success of DevOps teams is measured by time, how fast they’re able to reach a certain milestone, and how long before they make it to the next one.
There are a variety of reasons that motivate businesses to prioritize speed in their development operations. Reasons range from having to fulfill tight contracts and beat their competitors in a niche market to the pressure of acquiring new customers and retaining existing ones. Additionally, brands and teams that deliver faster results are more favored by their managers, the stakeholders, and their target consumers in the market.
The fact that rushed coding results in lower quality isn’t something new to business leaders. However, quality issues are often solved by frequent updates and intense debugging sessions after the initial release.
Bugs and error codes are an inevitable part of any software, but underestimating the effects they could have on a product’s reputation may undermine all the benefits generated by an early release date. In addition, bugs are notorious for revealing weak points in the code for hackers and malicious individuals to exploit. Damage to the software’s reputation and to the overall safety of consumers — both individuals and corporate — is a serious risk.
Unlike the core of digital product development, the progress of security isn’t linear. As DevOps cuts corners in design to meet an approaching deadline, relentless security testing and proofing are time and again unable to keep up with the increase in pace. The result is software that’s not only riddled with functional bugs but also with countless known and unknown vulnerabilities.
Another factor that comes into play, and divides development and security, is the rate of technological advancement. Software development, as a whole, is becoming a faster process thanks to pre-made templates and coding libraries, but security is becoming harder to implement properly as threats and methods of attack increase in severity. Furthermore, the introduction of DevOps has led to an increase in distribution and decentralization of teams over time. That makes it a bigger-than-ever challenge for security to reliably communicate with the development team and keep up with any changes in plans or schedules.
An additional challenge that’s unique to security is its ever-evolving nature. Development can continue to introduce additional features to the finished product, but even without the additions, at some point the software can be considered complete by all standards. The same rule doesn’t apply to the security of an app.
The standards defining an acceptably secure product are constantly rising as new types of cyber attacks and threats enter the landscape. Unless announcement is made that the product will go out of service and customers are advised to stop using it, security must respond to every new virus and malware with continuous updates, patches, and security upgrades.
Ideally, both security and speed are of equal priority. However, when a project is running well behind schedule and something needs to be sacrificed, it’s security that gets the short straw. That’s not to say that companies forgo adequate security measures altogether for the sake of a faster launch. Usually, it’s over-the-top security features that get postponed to one of the updates instead of the initial launch.
One way the effects of the speed-security tradeoff can be mitigated is by operating on an Agile-Scrum basis where the project is developed in short ‘sprints’ that allow for smaller goals. With such sprints, development and security teams can meet regularly to discuss progress and roadblocks, all the while performing short yet thorough tests on smaller portions of the product.
Being tight on time can be resolved in one of three ways: extending time, expanding the team, or reducing the workload. The first two suggestions aren’t always an option for the majority of brands, either because of contractual obligations or time and budget constrainto. Reducing the workload, on the other hand, can be done by allocating a portion of the work to automation.
DevSecOps, which stands for Development, Security, and Operations, is the practice of automating the integration of security into software design at various stages of the development lifecycle. It requires joint effort by and open communication between security and development teams. Static Application Security Testing, or SAST, is a set of tools that analyze an app’s source code, byte code and binaries for indications of security flaws and vulnerabilities.
Automated code scanning, while not a perfect replacement for a skilled software engineer, can be sufficient in time of need and a a boon to the available engineers. Engineers can also rely on efforts from the Open Web Application Security Project (OWASP) for a community-based approach to timely security implementation and improvement.
Given limited resources, managing and maintaining the delicate balancing between speed and security is challenging and can pose a myriad of risks to the end product. Fortunately, Kiuwan is here to help with the right tools and expertise.
Kiuwan is a code security solution for mobile and web application development. The company offers solutions for code security with SAST and software composition analysis (SCA), designed to help teams identify vulnerabilities in the source code. Contact Kiowan to schedule a free demo today.