The need for high-quality application development efforts is growing at companies around the world. Firms require sophisticated apps for both external and internal purposes, and ineffectual development initiatives can severely undermine an organization's productivity and ability to compete in a given sector. However, the pressure to excel in this capacity can lead to problems. Most notably, many companies struggle to strike a balance between speed and security when pursuing app development efforts.
This does not have to be the case, though. As James Routh, CISO for Aetna, recently explained in a conversation with Tech Target, it is very possible to maximize app development productivity without sacrificing security. The key to such success is the combination of best practices and tools with developer buy-in.
Routh noted that in the past, many developers viewed application security efforts as counterproductive.
"The developers and their project leads viewed security controls in the development process as obstacles to getting real work accomplished, and they had no budget for the hours of remediation work required when security vulnerabilities were discovered," he told the news source.
As time has passed, application security has become more of a focus as the threats companies face have grown and evolved. Yet while many developers are no longer so dismissive of the need for security, project managers continue to see such efforts as inherently opposed to productivity and efficiency, Routh explained.
If these personnel are not fully on board with a company's application security policies, the organization will be vulnerable to both external attacks and internal leaks. Only a company-wide commitment to security can ensure that the business's applications remain protected at all times.
The question, then, is how security professionals and department leaders can ensure that all relevant personnel completely buy into company-wide application security policies and practices.
Fortunately, as Routh pointed out, the argument in favor of committing to application security is extremely persuasive.
"It's really hard to argue against a process that saves money, improves quality and reduces risk," said Routh, the source reported. "I come armed with simple information demonstrating each attribute and a commitment, which is that having done this so often it is relatively easy to address."
When addressing this issue, Routh focuses his early efforts on convincing the CEO, CIO and other C-level executives to implement comprehensive software security programs. From here, it is much easier to obtain universal approval and acceptance.
The right approach
For any IT security professional intent on gaining executive and management support for application development security initiatives, a robust, comprehensive plan is essential. This strategy must address concerns at every level. Notably, resistance will remain a problem if developers suspect that the security policies and tools will have a negative impact on their ability to hit deadlines and meet quotas. By developing an approach that incorporates tools to deliver security without hurting productivity, the case in favor of a dedicated approach to security is much stronger and more likely to be embraced enthusiastically.
For example, Routh highlighted the positive economic effects of detecting defects early – a major benefit of high-quality, mature software security solutions. Consequently, IT security leaders should approach company decision-makers with specific proposals concerning what tools to deploy and the expected impact of such initiatives.
In terms of early detection, a business-quality static code analysis solution would be a critical selling point for any broader software development security effort. Static code analysis can not only enable earlier detection, but it also reduces testing costs and increases developer productivity, as the developers are able to focus more on the application's features, rather than its flaws. And static code analysis achieves all of this while improving the overall quality of the company's code and ensuring the firm meets and maintains compliance with industry standards.
The evidence is clear: Software security is an absolute necessity for any company engaged with application development. Getting buy-in from executives, managers and the developers themselves is key for ensuring the company's code remains safe without compromising productivity. By understanding and presenting the benefits of the technology as part of a complete software security approach, security professionals can make a compelling case, leading to company-wide adoption.