Cybercriminals had a fantastic time in 2014 – breaching major retailers such as Home Depot and Kmart, major financial institutions (notably JPMorgan Chase), and a slew of smaller companies.
Indeed, cybercrimes are growing more common, more costly, and taking longer to resolve. Those are among the key findings of the fifth annual Cost of Cyber Crime Study conducted by the Ponemon Institute on behalf of HP Enterprise Security.
The 2014 global study of U.S.-based companies, which spanned seven nations, found that over the course of a year the average cost of cybercrime climbed by more than 9% to $12.7 million for companies in the United States, up from $11.6 million in the 2013 study. The average time to resolve a cyberattack is also rising, climbing to 45 days, up from 32 days in 2013.
Clearly, the need to protect apps (as well as network nodes, servers, and so on) has never been more crucial. For apps, the best approach is to integrate security testing into your development process – a process that is increasingly crafted around DevOps and Continuous Development.
DevOps is fundamentally a mindset about how best to bring together two completely different groups of IT people – the developers who create the applications and the IT operations who deploy and manage those applications.
The basic idea of DevOps is to break down barriers in the pursuit of creating excellent software. The idea of separate silos with developers, operations, testers, and management working in isolation, sometimes even in opposition, is dated and flawed.
Continuous Delivery (CD) is a software strategy that enables organizations to deliver new features to users as fast and efficiently as possible. The core idea of CD is to create a repeatable, reliable, and incrementally improving process for taking software from concept to customer.
The key to successfully implementing DevOps and CD is testing, including security testing. Code must be tested over and over before any software is released.
If companies fail to integrate security testing into the development process and make it part of the software development lifecycle, they face numerous problems. Top-of-mind: the expense of retro-fitting functionality that should have been there initially, and the pain of securing a hybrid system with legacy software not designed for modern security threats.
Automated testing enables the DevOps team to create a continuous delivery system in which new features can be rolled into live software as they are created. In terms of security, the testing should always be pro-active and thorough. To achieve those goals, companies should consider the following:
Security testing in your development pipeline should not be any more static than any other part of your dynamic process of creating and reviewing pipelines. Security must be continually reviewed and modernized to ensure it delivers optimum results.
By incorporating solid security foundations and processes into your application development lifecycle, you will protect every current and future software project. Such long-term planning not only makes financial sense, but it is highly likely to result in better quality software.
This article was originally posted in Network World.
Image credit Cutcaster.