Integrating security into modern software development: A workflow study

Application security testing has been around for a long time, yet successful attacks continue despite significant investments in application security. And we shouldn’t be surprised when we’re applying testing tools developed more than 12 years ago to software development methods only made commonplace in the last 3–5 years. In addition, application security is least understood and often takes a back seat to perimeter and endpoint security. At the same time, there’s a misconception that the cloud provider takes care of all the security, and few people have considered new attack surfaces introduced by containers and orchestration. Tesla showed us the fallacy here.

Traditional application security testing has been targeted to security professionals and is regarded as a separate process from development. This separation and delay creates friction in the process, with many trade-offs required. In an effort to improve application security testing, the new chant has been “shift left” to remove more vulnerabilities earlier and empower the developers.

Lucas Charles (GitLab) examines the shortcomings of most shift-left efforts and how cloud native environments, Agile DevOps processes, and minimum viable products with rapid iteration wreaks havoc on traditional security methodologies. He dives into how to bring security into DevOps while avoiding a complex DevOps toolchain that must be integrated with security testing and explores new ways of thinking of app security to turn the industry on its head by using concurrent DevOps—a method that makes it possible for product, development, QA, security, and operations teams to work at the same time. You’ll learn the three key requirements of your application security process needed to get you onto the road of an efficient and secure software development lifecycle (SDLC).