3 ways to balance app innovation with app security

Tame false positives and reduce manual work

False positives are a problem for most organizations. A recent survey reported 45% of alerts are false positives. This means larger organizations, on average, waste nearly 10,000 hours per year checking unreliable vulnerability reports, which can annually cost organizations up to $500,000.

Automatic confirmation of direct-impact vulnerabilities -- or ​​exploitable proof of vulnerabilities -- is one way enterprises can reclaim wasted time and money. Automation reduces false positives by confirming direct-impact vulnerabilities, such as OS command injections, path traversals and SQL injections.

Companies waste time and money on false positives, but underpowered tools and manual processes are also crushing efficiency. Manual verification practices delay remediations and detract from valuable security work. While it's critical to embrace and invest in automation, many application security (AppSec) professionals feel there's not enough automation. Automated AppSec testing can catalog, test and remediate issues quickly, freeing up time to focus on high-value security and development projects.

Remove bottlenecks and integrate workflows

Without the right tools in place, AppSec is tedious. Developers are frantically building apps to keep up with the competition, while security teams are faced with an ever-growing backlog of issues to verify, triage, assign and monitor. Organizations often prioritize vital business assets, while leaving the rest of the attack surface exposed. The integration of security within the software development lifecycle is often also lacking.

This is the reality of enterprise security: seemingly endless backlogs. Advanced tools can help enterprises tame false positives, embrace automation and ensure security is involved in the entire development process.

Improved AppSec is within reach

The pace and scale of app development has created a security crisis. Enterprise security teams make tradeoffs every day just to keep up, though they are painfully aware the next big data breach could be right around the corner.

DevSecOps professionals have a massive challenge. It's simply not enough to zero in on specific vulnerabilities; the scale, speed and complexity of web app development render the approach ineffective and inefficient. Organizations need to shift security left and ensure AppSec testing is fully integrated into the development process. But they must also protect the attack surface on the right by scanning web applications in production.

It's a top-down issue, too. Many organizations struggle with security implementation because leadership doesn't prioritize it or it's assumed the security team has it covered. It's critical leaders not only encourage cultural changes, but also ensure their teams have the right AppSec tools in place.

Isolating security teams creates even more risk, as other departments may skip best practices to speed up the development process or assume another team has it covered. Effective security is only achievable if company executives set security expectations: Security must be integrated into development, and everyone must be held accountable for security KPIs.

Taming false positives, adopting automation and improving workflows are three concepts to help organizations innovate, while ensuring app security.

About the author
Mark Ralls is president and COO of Invicti. In this role, Ralls helps set, communicate and drive company strategy and execution by bringing deep expertise in analytics, marketing, operations and M&A. He is a proven leader of high-performing teams and has a passion for helping companies grow and scale. Ralls previously held leadership roles at Vista Consulting Group, Social Solutions Global, SolarWinds and Boston Consulting Group. Ralls holds a B.S. in mechanical engineering from the University of Texas at Austin and an MBA from Harvard Business School.