By Yen Hoe Lee, Director, KPMG Advisory
There is an old joke among software developers that if you’d just write it correctly the first time, you’d never have to waste time debugging or testing your code. Anyone even remotely familiar with software development can see the absurdity of perfection that makes this a joke. Today, even the simplest of applications is a machine of almost unimaginable complexity in which a single misplaced character or seemingly innocuous line of code can create a serious flaw or vulnerability.
When it comes to application security (AppSec), it might appear as if some organizations have taken this joke seriously. Instead of performing AppSec testing on every release of every application in their portfolios to detect and remediate critical vulnerabilities, they’re testing only sporadically or selectively, perhaps testing only the three or four most “risky” apps each release. Of course, no one really believes that they’ve just written it correctly and so no testing is needed. The unfortunate truth is that many aren’t testing every release because they simply don’t have the resources or the time to do it.
No time to test
Fueled by new techniques and methodologies such as agile, DevOps and CI/CD, the pressure on developers to deliver faster has never been greater. Reportedly, many of the well-known Internet platforms push updates every few hours – not weeks, not days. So, what do you do when your thinly-staffed AppSec team tells you it needs two or three days to properly evaluate a release (not counting time for remediation) when you’re trying to maintain a pace like that across not just one but maybe even dozens of applications?
For some, despite a genuine desire to do the right thing, the answer is the equivalent of closing your eyes, plugging your ears and repeating “la-la-la” because if you don’t know about the vulnerabilities, they can’t hurt you, right?
The not so secret secret is that many organizations have such visibility gaps in their application security. Many see AppSec as a major source of friction in the development process, and so it’s natural and tempting to want to reduce or eliminate that friction – or at least to try throwing technology at the problem to compensate for the lack of time and resources. Technology can indeed help – in fact, it’s indispensable – but it’s not a panacea.
Automation is a tool, not a solution
While there are a dozen or so well-respected software packages designed to automate AppSec testing, none can truly evaluate vulnerabilities in the context of your business or your industry. They can’t prioritize the most critical issues specific to you and your organization and its customers, and often simply spit out a list of issues that’s so long it might as well be infinite. And they can’t look at your organization as a whole to see if it has fostered a culture of security, if it’s optimized to maintain application security in the most efficient way or if its security practices are aligned with overall business goals.
As with most tools, the quality of the outcome is only as good as the skill of the person using it. Many organizations struggle to find skilled and seasoned AppSec data analysts who can interpret the output and make informed recommendations in terms of business risk.
It’s also not uncommon for large organizations to have different teams using different AppSec tools, or to outsource development projects to multiple teams that have their own tools, which also makes it difficult to get a single, complete view of application security – and the potentially catastrophic business risks you may be exposed to.
Without that visibility, it’s nearly impossible to determine where to focus resources to maximize efficiency and effectiveness, or to properly manage risk. It’s the software equivalent of driving a car without being able to see completely out the windshield, not knowing when to hit the brakes or when you can accelerate. As they say, good brakes aren’t designed to make cars to go slower – they’re designed to allow them to go faster.
The same is true for AppSec. Done right, AppSec can not only be a frictionless part of the development process, it can actually help you accelerate it.
NextGen AppSec Solutions
In the last few years, a new generation of on-demand AppSec solutions have evolved to address exactly that goal, including on-demand solutions from KPMG. These NextGen solutions are designed to scale to meet the needs of organizations with large application portfolios, multiple development teams and aggressive development schedules. They’re also designed to eliminate gaps in AppSec visibility by aggregating data across disparate tools and teams – without having to first normalize the data.
There are many potential efficiencies that can be exploited with better visibility. For example, you might see that SQL injection issues are common across multiple development projects. Rather than addressing each discretely and repeatedly, you might add more training around SQL injection, or create a central, common library of code that’s been designed to address the problem.
Enhanced visibility also applies to what’s happening outside of your organization, too. It can be enormously helpful to benchmark your performance against industry norms to understand where more attention needs to be paid – and where you’re already doing well.
Another key aspect of an on-demand solution is that it’s designed to consider the entire process, not just the applications themselves. AppSec doesn’t exist in a vacuum or in discrete application silos. Optimizing your organization for greater efficiency and speed of development might involve disciplines such as risk management, digital transformation, organizational change management, regulatory compliance, and more – things that no software-only solution can deliver.
You can learn more on how KPMG is helping organizations achieve modern delivery of IT here or drop me an email to talk more about your AppSec requirements.
This article represents the views of the author only, and the information contained herein is of a general nature and is not intended to address the circumstances of any particular individual or entity. No one should act on such information without appropriate professional advice after a thorough examination of the particular situation.
Some or all of the services described herein may not be permissible for KPMG audit clients and their affiliates or related entities.
Copyright © 2020 IDG Communications, Inc.