Building in security without putting the brakes on application development

security
OpenVPN-protokollet - därför är det så bra (Image credit: Shutterstock)

For those managing software development teams, balancing the need for cybersecurity with the pressure to deliver projects on time is no small task. There’s often a perception that security tasks will slow down the development process, introducing potential bottlenecks to release times. In fact, our recent research found that 61% of developers are concerned about security getting in the way of their workflow.

As with any project one of the most important aspects is aligning everyone towards the same goal which is, ultimately, safe and reliable applications. This means making the right choices when it comes to security so that their time is focussed on developing rather than fixing problems. After all, it’s far less disruptive and costly to deal with any software issues (including security ones) early on in the life cycle, rather than to have to rework an application, or pull it entirely to make fixes, once it’s running.

The key is embedding application security measures for your developers so that they are equipped with the tools and knowledge they need for it be seamless and as low-friction as possible.

Renny Shen

VP Portfolio Marketing, Checkmarx.

Prioritizing for impact

Effective business app security begins with prioritization. Development teams have limited time, so they need to focus on the vulnerabilities that are most critical. Prioritizing vulnerabilities involves assessing their severity, exploitability and the criticality of the application they reside in.

A strong security toolset should incorporate mechanisms to accurately classify vulnerabilities. For example, vulnerabilities should be prioritized based on CVSS (Common Vulnerability Scoring System) scores, which consider factors like the ease of exploitation and potential impact. Additionally, existing security tools should integrate with threat intelligence feeds to correlate vulnerabilities with known exploits in the wild, enabling developers to focus on those issues that pose the most immediate risk.

Security testing should be conducted at multiple stages of the app development lifecycle. Traditionally, security testing included Static Application Security Testing (SAST) and Dynamic Application Security Testing (DAST). But there are more things to consider now, such as Software Composition Analysis (SCA), container security, and Infrastructure-as-Code (IaC) security. And as it pertains to prioritization, even runtime protection provides data that can be correlated with SAST, SCA, etc., data to help prioritize. SAST can identify vulnerabilities in the source code, allowing developers to address issues before the code is even compiled.

Dynamic Application Security Testing (DAST) should follow in later stages, providing a comprehensive approach that ensures no critical vulnerabilities slip through the cracks. Prioritizing vulnerabilities at each stage helps keep development on track while maintaining a strong security posture.

Integrating security into the development workflow

Applications today are far more complex than they were just a few years ago. More than 50% of developers are now utilizing AI in their workflows, and the modern application is composed of multiple components: proprietary source code, open-source libraries, and even AI-generated code. This introduces new layers of security and legal risks, making it increasingly challenging for developers to stay ahead of potential vulnerabilities.

So, for security to become an integral part of the software development process, project leaders must introduce processes and practices that can easily incorporate security measures into the developer’s general workflow. It’s about making their life easier, instead of adding a load of new responsibilities on their shoulders.

Automating AppSec processes is a great solution here. Automated security scanning can be integrated as part of the CI/CD pipeline, with the results automatically brought into the IDE. From here, they can check in their code for us to scan for vulnerabilities and, with the results at hand to rectify any issues as needed. This immediate feedback loop allows teams to catch and address vulnerabilities—such as an SQL injection—as early as possible. Real-time feedback on secure coding practices is provided in the IDE as a developer writes code, reinforcing secure coding practices, which are crucial as the complexity of applications grows.

In addition to IDE integration, security checks should also be part of the source control management (SCM) system. Automated security checks during code commits or pull requests ensure that vulnerabilities are flagged before they are merged into the main branch. This early intervention helps prevent insecure code from entering production. In cases where vulnerabilities are found, automated systems can immediately generate bug tickets with detailed descriptions of the issue and guidance on how to resolve it, streamlining the remediation process.

With the rise in the use of third-party and AI-generated code, automated code reviews are also essential for maintaining security standards. These reviews can be configured to enforce coding best practices and flag common security issues like improper input validation, insecure configuration, or poor error handling. By integrating these reviews into the development workflow, teams can ensure that security is built into every stage of the process, from the first line of code to deployment.

Empowering developers through knowledge and tools

Even with the best security tools in place, developers need the right support to effectively resolve vulnerabilities. Security tools should do more than just flag issues; they should offer actionable remediation guidance alongside vulnerability reports. When a vulnerability is identified, developers should be equipped with the context they need to understand not only that a problem exists, but also why it exists and how to resolve it efficiently. Providing relevant code examples or references to documentation can help developers address vulnerabilities swiftly without having to spend unnecessary time researching solutions.

To further empower developers, it's essential to invest in building a strong foundation of secure coding practices. Security training should be viewed as a core part of a developer's professional development, offering continuous learning opportunities through e-learning platforms or in-person workshops. Practical, hands-on exercises are key to helping developers apply what they’ve learned to real-world scenarios. Topics like cross-site scripting (XSS), SQL injection, and insecure deserialization should be covered extensively, along with best practices to prevent these vulnerabilities.

Over time, as developers participate in ongoing security training, their knowledge will naturally integrate into their daily workflows. This proactive approach to security ensures that they write secure code from the start, reducing the number of vulnerabilities introduced into the codebase.

In short, application security should be seen as an integral part of development, not a roadblock. Prioritizing vulnerabilities, integrating security into existing workflows, and empowering developers with the right knowledge and tools are key strategies for maintaining both speed and security in software projects.

We've featured the best DevOps tools.

This article was produced as part of TechRadarPro's Expert Insights channel where we feature the best and brightest minds in the technology industry today. The views expressed here are those of the author and are not necessarily those of TechRadarPro or Future plc. If you are interested in contributing find out more here: https://www.techradar.com/news/submit-your-story-to-techradar-pro

VP Portfolio Marketing, Checkmarx.

Read more
Cyber-security
Empowering developers with cutting-edge security training
Security padlock in circuit board, digital encryption concept
A guide to integrating application security into any cyber defense strategy
A profile of a human brain against a digital background.
Securely working with AI-generated code
Hands on a laptop with overlaid logos representing network security
How AI-powered remediation can help tackle security debt
Avast cybersecurity
How to address Shadow IT challenges in the age of GenAI
An abstract image of a lock against a digital background, denoting cybersecurity.
How cybersecurity jargon creates barriers and wastes resources
Latest in Pro
Epson EcoTank ET-4850 next to a TechRadar badge that reads Big Savings
I found the best printer deal you won't see in the Amazon Spring Sale and it's got a massive $150 saving
NVIDIA RTX PRO 6000 Blackwell Server Edition
Nvidia's most expensive Blackwell card gets massive price cut but it is not the RTX 5090
Microsoft Copiot Studio deep reasoning and agent flows
Microsoft reveals OpenAI-powered Copilot AI agents to bosot your work research and data analysis
Group of people meeting
Inflexible work policies are pushing tech workers to quit
Data leak
Top home hardware firm data leak could see millions of customers affected
Representational image depecting cybersecurity protection
Third-party security issues could be the biggest threat facing your business
Latest in News
Buzz Lightyear Space Ranger Spin Rennovations
Disney’s giving a classic Buzz Lightyear ride a tech overhaul – here's everything you need to know
Hisense U8 series TV on wall in living room
Hisense announces 2025 mini-LED TV lineup, with screen sizes up to 100 inches – and a surprising smart TV switch
Nintendo Music teaser art
Nintendo Music expands its library with songs from Kirby and the Forgotten Land and Tetris
Opera AI Tabs
Opera's new AI feature brings order to your browser tab chaos
An image of Pro-Ject's Flatten it closed and opened
Pro-Ject’s new vinyl flattener will fix any warped LPs you inadvertently buy on Record Store Day
The iPhone 16 Pro on a grey background
iPhone 17 Pro tipped to get 8K video recording – but I want these 3 video features instead