How to Take Software to Market Fast and With Minimal Security Risks

The security threats introduced by modern development processes go beyond vulnerabilities in code. Here's where to look and what steps to take.

security-software-testing-2

Software is a crucial business driver for most companies today, meaning software development needs to be lightning-fast. To maintain both speed and security, many companies now integrate automated security tests such as static analysis and software composition analysis (SCA) early in the development process, eliminating costly code fixes later on.

However, software development is evolving and solely relying on scanning source code is insufficient to fend off attackers. For example, recent breaches affecting SolarWinds, CodeCov, and LastPass originated with the CI/CD pipeline, not source code.

Today, software development relies heavily on third-party and open-source software and automated pipelines that bring new products online quickly and efficiently. While necessary to keep up with the pace of innovation, these methods introduce new security threats that require new ways of thinking about application security.

Security challenges introduced by modern software development practices

The security threats introduced by modern development processes go beyond vulnerabilities in code and include:

      • More opportunity for misconfiguration: More systems and tools in the mix means more room for error. For example, Jenkins server misconfiguration is a significant security problem. The SolarWinds attack stemmed from a misconfigured Jenkins server that allowed attackers to tamper with the code during the build.
      • Larger attack surface: APIs, plugins, open source code, containers, and more create a large and growing attack landscape.
      • Sensitive data exposure: Secrets are commonly used in development to accelerate testing and QA, but this leads to a continuously growing and significant source of risk to the organization.
      • Risk of siloes leading to lack of context and correlation: In most cases, people and tools are focused on parts of the software factory, but if nothing or no one is overseeing the process as a whole, you can have blind spots, duplicated efforts, or unnecessary tasks.
      • GenAI: Developers are increasingly leveraging GenAI to speed up the coding process, introducing new attack vectors that are hard to identify and track.

Recommended steps for fast and secure software development

Given that slowing down software development or reverting to waterfall development are not options, how do organizations facilitate modern software development in a way that aligns with the organization’s risk tolerance? It comes down to automating security tests, creating resilient pipelines, and getting the context needed to avoid blocking things that don’t need to be blocked. A few good places to start:

      • Automate security checks as much as possible: Automate your security tests like static analysis and SCA whenever possible to avoid adding speed bumps to the dev process.
      • Separate dev from prod: If a build server has direct credentials to the production environment, it’s a problem. Typically, applications should not be deployed to the production environment for testing.
      • Select AI hubs carefully: AI model developers should regularly scan code for secrets and consider choosing an AI hub with an internal scanner. This additional layer of security ensures that potential vulnerabilities are identified early in the development process, thereby minimizing the risk of exposed secrets.
      • Take care with build server configurations: Make sure they are updated. Do not neglect the security of plugins.
      • Validate before using third-party code: For example, don’t automatically rely on a base container image’s “latest” version.
      • Use secret scanners: Developers often add a secret to the source code, test it, and then attempt to delete it. They do this by creating another commit that removes the secret, but Git contains all the revisions and all the commits, and attackers also know to look at history. The last version of the code could be completely safe, without any secrets, but somewhere, a change log contains that secret, and it’s now stored in your code base. 
      • Get visibility into the whole process and components: Seek solutions to help teams understand the components, the code, the containers, binaries, developers, and even the system and the infrastructure on which the code is being built. With this context, you will avoid slowing down the process with false-positive or duplicate testing results. You can focus resources on vulnerabilities that genuinely matter rather than those that don’t introduce significant risk.

Visibility and collaboration are key

Ultimately, a strong working relationship between security and development teams is essential to creating secure software. Security teams should understand developer processes and priorities and try to enable rather than impede. Development teams should familiarize themselves with common ways their processes can become compromised and take steps to avoid introducing risk. Having security-minded developers who can act as security champions is a proven way to help these teams collaborate and keep code moving.

Visibility is another essential part of keeping these teams in sync. When both teams are on the same page about the “big picture” and the controls on all facets of the software factory, from coding to pipeline to production, software moves to market more quickly and securely.

Joe Nicastro

Joe Nicastro is a seasoned cybersecurity expert with over a decade of experience in the field, specializing in application security for the past six years. With a diverse background working at industry-leading companies, Joe has honed his skills and knowledge in securing applications and helping organizations build better AppSec programs.

In addition to his professional journey, Joe is passionate about sharing his expertise and mentoring the next generation of cybersecurity professionals. In this capacity, Joe has spent several years as an instructor at a cybersecurity boot camp, imparting invaluable knowledge to aspiring security enthusiasts and actively fostering industry collaboration and knowledge-sharing as a critical contributor to the OWASP chapter in Kansas City.


Joe Nicastro is a seasoned cybersecurity expert with over a decade of experience in the field, specializing in application security for the past six years. With a diverse background working at industry-leading companies, Joe has honed his skills and knowledge in securing applications and helping organizations build better AppSec programs.

In addition to his professional journey, Joe is passionate about sharing his expertise and mentoring the next generation of cybersecurity professionals. In this capacity, Joe has spent several years as an instructor at a cybersecurity boot camp, imparting invaluable knowledge to aspiring security enthusiasts and actively fostering industry collaboration and knowledge-sharing as a critical contributor to the OWASP chapter in Kansas City.