{"id":41400,"date":"2020-09-21T09:49:25","date_gmt":"2020-09-21T13:49:25","guid":{"rendered":"https:\/\/sdtimes.com\/?p=41400"},"modified":"2023-07-14T16:43:33","modified_gmt":"2023-07-14T20:43:33","slug":"putting-developers-into-application-security","status":"publish","type":"post","link":"https:\/\/sdtimes.com\/security\/putting-developers-into-application-security\/","title":{"rendered":"Putting developers into application security"},"content":{"rendered":"

Making security easy for developers, in their preferred tools, while still generating reports for the CISO is a challenge many organizations face today, when the reality is that late-stage security approaches can’t plug vulnerabilities deep within applications.<\/span><\/p>\n

Yet putting the onus squarely on developers is a gamble, as many aren’t knowledgeable about certain kinds of vulnerabilities, or where they might lie, such as in an open-source component or in an API.<\/span><\/p>\n

So organizations are meeting the challenge of application security by creating development ‘squads,’ made up of developers, testers, security personnel and the product team, to prevent vulnerabilities from making their way into an application.<\/span><\/p>\n

To create the squad, Simon King, vice president of solutions for the Synopsys Integrity Group, strongly recommends hiring a couple of security experts who have already done that in the past, “because trying to figure it out from scratch will just take you too long and you’ll miss just very basic things.” After the experts are on board, he said to complement the team with people from the product teams who know much better where weaknesses may lie.\u00a0<\/span><\/p>\n

Then, he recommends, set up e-learning to train back into the organization and eventually push\u00a0 security personnel out into the product teams, from where security champions will emerge.\u00a0\u00a0\u00a0<\/span><\/p>\n

Four levels of security<\/strong>
\nKing explained there are four levels of security that many organizations go through: security as a cost center, as compliance, as technology, and ultimately as a business enabler. From the cost center perspective, he said, organizations are concerned with what tools to buy<\/span> that \u201ctick the box\u201d for a particular security concern<\/span>. Security as compliance refers to<\/span> defining<\/span> policies that<\/span> a central team tries to<\/span> enforce. As technology, organizations look to build these solutions into their pipeline to get the tools leveraged by developers.\u00a0<\/span><\/p>\n

King said they then drive a cultural change that moves security teams from acting like police to actually embedding them with the development teams “so they think about things right up front, as ‘what could we do’ instead of ‘what do we have to do now that we’ve already written the code and tested it?’ ” Lastly, only a few of the most mature companies on the planet are at the point where they see security as a business enabler. That, he said, is a pretty fundamental shift “that then enables <\/span>the<\/span> kind of thinking that says now that the data is data super-secure, what could we do with it that we couldn’t contemplate doing before because we didn’t trust how <\/span>who has <\/span>access <\/span>to the data<\/span>, for example.”<\/span><\/p>\n

In this kind of environment, developers\u00a0 should take on as much testing as they can from the moment an object exists, King explained. From the time a developer reaches into a public repository to pull some JavaScript for an open-source project, he said, you want to ensure it’s the correct version, that there are no known vulnerabilities associated with it, and if licenses comply with corporate policies, because you don’t want to find that out late in the development life cycle. So static analysis and open-source analysis for software composition\u00a0 should be done early on. Then, as the software goes through the pipeline, dynamic testing on APIs <\/span>that connect applications and services into system architecture<\/span> will have to be done later in the process, by the very nature of it.\u00a0<\/span><\/p>\n

“And then maybe middle of the way down the path you’re going to start looking at the containers you’re running in,” King said. “What’s in that template, all of the different layers from the application down to the container itself, and then ultimately some vulnerabilities only manifest in pretty complex deployment architectures, and so you’re going to do pen test and things like that fairly late stage.”<\/span><\/p>\n

What Synopsys offers<\/strong>
\nTo help organizations, Synopsys brings together managed software services, professional services and tooling. The company does <\/span>BSIMM<\/span><\/a>-based interviews to see evolving industry security practices, and turns that around to offer benchmarking, assessment and mapping processes. “These are action plans to say, how do you get from where you are to where you want to be,” King explained.\u00a0<\/span><\/p>\n

The professional services team supports implementation and adoption of the tools at scale. King was most excited about the tooling, which covers the spectrum from static security testing to open-source vulnerability analysis to pen testing — creating a holistic application security environment.<\/span><\/p>\n

Synopsys has research labs working on the company’s multi-petabyte knowledge bases and the tests they write to check for vulnerabilities, while the professional services teams provide the company with deep insight into their customers because they work so closely with their customer-facing teams. King said, “We bring that expertise, that customer intimacy, that’s otherwise hard to attain.”<\/span><\/p>\n

 <\/p>\n

Content provided by SD Times and Synopsys<\/a><\/span><\/i><\/p>\n

\"\"<\/i><\/a><\/p>\n","protected":false},"excerpt":{"rendered":"

Making security easy for developers, in their preferred tools, while still generating reports for the CISO is a challenge many organizations face today, when the reality is that late-stage security approaches can’t plug vulnerabilities deep within applications. Yet putting the onus squarely on developers is a gamble, as many aren’t knowledgeable about certain kinds of … continue reading<\/a><\/p>\n","protected":false},"author":804,"featured_media":38144,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"om_disable_all_campaigns":false,"cybocfi_hide_featured_image":"","footnotes":"","_links_to":"","_links_to_target":""},"categories":[4339,1,11110],"tags":[45,8570],"coauthors":[13640],"acf":[],"yoast_head":"\nPutting developers into application security - SD Times<\/title>\n<meta name=\"description\" content=\"There are 4 levels of application security organizations go through: security as a cost center, compliance, technology, and a business enabler.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/sdtimes.com\/security\/putting-developers-into-application-security\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Putting developers into application security - SD Times\" \/>\n<meta property=\"og:description\" content=\"There are 4 levels of application security organizations go through: security as a cost center, compliance, technology, and a business enabler.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/sdtimes.com\/security\/putting-developers-into-application-security\/\" \/>\n<meta property=\"og:site_name\" content=\"SD Times\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/SDTimesD2\" \/>\n<meta property=\"article:published_time\" content=\"2020-09-21T13:49:25+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2023-07-14T20:43:33+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/sdtimes.com\/wp-content\/uploads\/2019\/12\/typing-849806_640.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"640\" \/>\n\t<meta property=\"og:image:height\" content=\"411\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"author\" content=\"SD Times\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@sdtimes\" \/>\n<meta name=\"twitter:site\" content=\"@sdtimes\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"SD Times\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"4 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/sdtimes.com\/security\/putting-developers-into-application-security\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/sdtimes.com\/security\/putting-developers-into-application-security\/\"},\"author\":{\"name\":\"SD Times\",\"@id\":\"https:\/\/sdtimes.com\/#\/schema\/person\/e0f273b980b8e16bc8d40ac339edafc6\"},\"headline\":\"Putting developers into application security\",\"datePublished\":\"2020-09-21T13:49:25+00:00\",\"dateModified\":\"2023-07-14T20:43:33+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/sdtimes.com\/security\/putting-developers-into-application-security\/\"},\"wordCount\":799,\"publisher\":{\"@id\":\"https:\/\/sdtimes.com\/#organization\"},\"image\":{\"@id\":\"https:\/\/sdtimes.com\/security\/putting-developers-into-application-security\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/sdtimes.com\/wp-content\/uploads\/2019\/12\/typing-849806_640.jpg\",\"keywords\":[\"security\",\"Synopsys\"],\"articleSection\":[\"Industry Spotlight\",\"Latest News\",\"Sponsored\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/sdtimes.com\/security\/putting-developers-into-application-security\/\",\"url\":\"https:\/\/sdtimes.com\/security\/putting-developers-into-application-security\/\",\"name\":\"Putting developers into application security - SD Times\",\"isPartOf\":{\"@id\":\"https:\/\/sdtimes.com\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/sdtimes.com\/security\/putting-developers-into-application-security\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/sdtimes.com\/security\/putting-developers-into-application-security\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/sdtimes.com\/wp-content\/uploads\/2019\/12\/typing-849806_640.jpg\",\"datePublished\":\"2020-09-21T13:49:25+00:00\",\"dateModified\":\"2023-07-14T20:43:33+00:00\",\"description\":\"There are 4 levels of application security organizations go through: security as a cost center, compliance, technology, and a business enabler.\",\"breadcrumb\":{\"@id\":\"https:\/\/sdtimes.com\/security\/putting-developers-into-application-security\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/sdtimes.com\/security\/putting-developers-into-application-security\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/sdtimes.com\/security\/putting-developers-into-application-security\/#primaryimage\",\"url\":\"https:\/\/sdtimes.com\/wp-content\/uploads\/2019\/12\/typing-849806_640.jpg\",\"contentUrl\":\"https:\/\/sdtimes.com\/wp-content\/uploads\/2019\/12\/typing-849806_640.jpg\",\"width\":640,\"height\":411},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/sdtimes.com\/security\/putting-developers-into-application-security\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/sdtimes.com\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Putting developers into application security\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/sdtimes.com\/#website\",\"url\":\"https:\/\/sdtimes.com\/\",\"name\":\"SD Times\",\"description\":\"Software Development News\",\"publisher\":{\"@id\":\"https:\/\/sdtimes.com\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/sdtimes.com\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/sdtimes.com\/#organization\",\"name\":\"SD Times\",\"url\":\"https:\/\/sdtimes.com\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/sdtimes.com\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/sdtimes.com\/wp-content\/uploads\/2014\/05\/deafaultlogo.png\",\"contentUrl\":\"https:\/\/sdtimes.com\/wp-content\/uploads\/2014\/05\/deafaultlogo.png\",\"width\":225,\"height\":90,\"caption\":\"SD Times\"},\"image\":{\"@id\":\"https:\/\/sdtimes.com\/#\/schema\/logo\/image\/\"},\"sameAs\":[\"https:\/\/www.facebook.com\/SDTimesD2\",\"https:\/\/x.com\/sdtimes\",\"https:\/\/www.linkedin.com\/company\/sdtimes\/\"]},{\"@type\":\"Person\",\"@id\":\"https:\/\/sdtimes.com\/#\/schema\/person\/e0f273b980b8e16bc8d40ac339edafc6\",\"name\":\"SD Times\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/sdtimes.com\/#\/schema\/person\/image\/12a3751daacf16712c32bd81bc5a3040\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/b13d7778dc0e9a25bd7775c197be5132?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/b13d7778dc0e9a25bd7775c197be5132?s=96&d=mm&r=g\",\"caption\":\"SD Times\"},\"url\":\"https:\/\/sdtimes.com\/author\/sd-times-staff\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Putting developers into application security - SD Times","description":"There are 4 levels of application security organizations go through: security as a cost center, compliance, technology, and a business enabler.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/sdtimes.com\/security\/putting-developers-into-application-security\/","og_locale":"en_US","og_type":"article","og_title":"Putting developers into application security - SD Times","og_description":"There are 4 levels of application security organizations go through: security as a cost center, compliance, technology, and a business enabler.","og_url":"https:\/\/sdtimes.com\/security\/putting-developers-into-application-security\/","og_site_name":"SD Times","article_publisher":"https:\/\/www.facebook.com\/SDTimesD2","article_published_time":"2020-09-21T13:49:25+00:00","article_modified_time":"2023-07-14T20:43:33+00:00","og_image":[{"width":640,"height":411,"url":"https:\/\/sdtimes.com\/wp-content\/uploads\/2019\/12\/typing-849806_640.jpg","type":"image\/jpeg"}],"author":"SD Times","twitter_card":"summary_large_image","twitter_creator":"@sdtimes","twitter_site":"@sdtimes","twitter_misc":{"Written by":"SD Times","Est. reading time":"4 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/sdtimes.com\/security\/putting-developers-into-application-security\/#article","isPartOf":{"@id":"https:\/\/sdtimes.com\/security\/putting-developers-into-application-security\/"},"author":{"name":"SD Times","@id":"https:\/\/sdtimes.com\/#\/schema\/person\/e0f273b980b8e16bc8d40ac339edafc6"},"headline":"Putting developers into application security","datePublished":"2020-09-21T13:49:25+00:00","dateModified":"2023-07-14T20:43:33+00:00","mainEntityOfPage":{"@id":"https:\/\/sdtimes.com\/security\/putting-developers-into-application-security\/"},"wordCount":799,"publisher":{"@id":"https:\/\/sdtimes.com\/#organization"},"image":{"@id":"https:\/\/sdtimes.com\/security\/putting-developers-into-application-security\/#primaryimage"},"thumbnailUrl":"https:\/\/sdtimes.com\/wp-content\/uploads\/2019\/12\/typing-849806_640.jpg","keywords":["security","Synopsys"],"articleSection":["Industry Spotlight","Latest News","Sponsored"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/sdtimes.com\/security\/putting-developers-into-application-security\/","url":"https:\/\/sdtimes.com\/security\/putting-developers-into-application-security\/","name":"Putting developers into application security - SD Times","isPartOf":{"@id":"https:\/\/sdtimes.com\/#website"},"primaryImageOfPage":{"@id":"https:\/\/sdtimes.com\/security\/putting-developers-into-application-security\/#primaryimage"},"image":{"@id":"https:\/\/sdtimes.com\/security\/putting-developers-into-application-security\/#primaryimage"},"thumbnailUrl":"https:\/\/sdtimes.com\/wp-content\/uploads\/2019\/12\/typing-849806_640.jpg","datePublished":"2020-09-21T13:49:25+00:00","dateModified":"2023-07-14T20:43:33+00:00","description":"There are 4 levels of application security organizations go through: security as a cost center, compliance, technology, and a business enabler.","breadcrumb":{"@id":"https:\/\/sdtimes.com\/security\/putting-developers-into-application-security\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/sdtimes.com\/security\/putting-developers-into-application-security\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/sdtimes.com\/security\/putting-developers-into-application-security\/#primaryimage","url":"https:\/\/sdtimes.com\/wp-content\/uploads\/2019\/12\/typing-849806_640.jpg","contentUrl":"https:\/\/sdtimes.com\/wp-content\/uploads\/2019\/12\/typing-849806_640.jpg","width":640,"height":411},{"@type":"BreadcrumbList","@id":"https:\/\/sdtimes.com\/security\/putting-developers-into-application-security\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/sdtimes.com\/"},{"@type":"ListItem","position":2,"name":"Putting developers into application security"}]},{"@type":"WebSite","@id":"https:\/\/sdtimes.com\/#website","url":"https:\/\/sdtimes.com\/","name":"SD Times","description":"Software Development News","publisher":{"@id":"https:\/\/sdtimes.com\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/sdtimes.com\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/sdtimes.com\/#organization","name":"SD Times","url":"https:\/\/sdtimes.com\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/sdtimes.com\/#\/schema\/logo\/image\/","url":"https:\/\/sdtimes.com\/wp-content\/uploads\/2014\/05\/deafaultlogo.png","contentUrl":"https:\/\/sdtimes.com\/wp-content\/uploads\/2014\/05\/deafaultlogo.png","width":225,"height":90,"caption":"SD Times"},"image":{"@id":"https:\/\/sdtimes.com\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/www.facebook.com\/SDTimesD2","https:\/\/x.com\/sdtimes","https:\/\/www.linkedin.com\/company\/sdtimes\/"]},{"@type":"Person","@id":"https:\/\/sdtimes.com\/#\/schema\/person\/e0f273b980b8e16bc8d40ac339edafc6","name":"SD Times","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/sdtimes.com\/#\/schema\/person\/image\/12a3751daacf16712c32bd81bc5a3040","url":"https:\/\/secure.gravatar.com\/avatar\/b13d7778dc0e9a25bd7775c197be5132?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/b13d7778dc0e9a25bd7775c197be5132?s=96&d=mm&r=g","caption":"SD Times"},"url":"https:\/\/sdtimes.com\/author\/sd-times-staff\/"}]}},"_links":{"self":[{"href":"https:\/\/sdtimes.com\/wp-json\/wp\/v2\/posts\/41400"}],"collection":[{"href":"https:\/\/sdtimes.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/sdtimes.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/sdtimes.com\/wp-json\/wp\/v2\/users\/804"}],"replies":[{"embeddable":true,"href":"https:\/\/sdtimes.com\/wp-json\/wp\/v2\/comments?post=41400"}],"version-history":[{"count":2,"href":"https:\/\/sdtimes.com\/wp-json\/wp\/v2\/posts\/41400\/revisions"}],"predecessor-version":[{"id":41484,"href":"https:\/\/sdtimes.com\/wp-json\/wp\/v2\/posts\/41400\/revisions\/41484"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/sdtimes.com\/wp-json\/wp\/v2\/media\/38144"}],"wp:attachment":[{"href":"https:\/\/sdtimes.com\/wp-json\/wp\/v2\/media?parent=41400"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/sdtimes.com\/wp-json\/wp\/v2\/categories?post=41400"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/sdtimes.com\/wp-json\/wp\/v2\/tags?post=41400"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/sdtimes.com\/wp-json\/wp\/v2\/coauthors?post=41400"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}