Guest author Melinda Jacobs is the co-founder of Lucent Sky, a San Francisco-based company that automates how developers find and fix security problems in applications.
When I finished writing this post, I ran spell check, which inevitably found a number of spelling and grammatical errors throughout my writing. I saw the red squiggly lines, right clicked, selected a correction, and rested easy knowing that readers would never see my mistakes.
Currently when a developer finishes coding within an application–any Web or mobile app–they don’t have the option of running “Spell Check” for errors. “Errors” can have any number of consequences, but we know they can include delays as applications make their way to testing, the expenditure of unneeded resources to fix them, and, in worst case scenarios, security breaches.
If the goal is to decrease the prevalence of these vulnerabilities before a product is released, it’s equally important to know how fixing them impacts runtime performance. Drawing clear insights between offline activities and runtime performance is greatly aided by integrations with services like New Relic that give enhanced visibility into both run-time and development practices.
There are two goals of this post: First, to explore the inefficiency that results in vulnerabilities being released into applications. And second, to unpack how changes in offline code can be reported through integrations with New Relic.
So, why do applications get released with known security issues (vulnerabilities)?
A problem of volume
The problem often lies in the volume of vulnerabilities rather than their individual complexity. Most enterprise application don’t have just 1, or even 10 vulnerabilities in their production code, but up to 1 for every 200 lines of code affected by run-of-the-mill vulnerabilities like cross-site scripting and SQL injection. This can add up to hundreds or even thousands of vulnerabilities in the code of a large enterprise application.
On the other hand, fixing application vulnerabilities during development is often a time-consuming manual practice. This inefficiency in fixing known vulnerabilities means development teams often have to accept a certain amount of known risk in releasing a new product. Accelerating this process to fix more vulnerabilities–in a way that reduces their volume–promises to change the equation.
The second piece–complexity–is also relatively predictable. When an application is scanned, about 90% of the found vulnerabilities fall within categories that can be automatically remediated, or fixed, through application vulnerability mitigation (AVM), from companies such as Lucent Sky. AVM is able to both suggest the fix (a new piece of code) and tell developers where to put it (the trickier part), effectively removing the vulnerability. Because most vulnerabilities have low complexity, AVM can significantly cut down their volume.
The rise of Agile Development and DevOps are intended to accelerate product development toward faster, more frequent releases. At the same time, development and runtime performance are increasingly related: We expect what happens in runtime to be responsive to what happens offline during development, and vice versa.
A matter of visibility
That means developers and operations need increased visibility from offline to online–so they can quantify how offline development practices impact run-time performance.
New Relic provides a critical part of the visibility, while AVM helps reveal how automated fixes to security issues like SQL injection and cross-site scripting impact run time performance. (It can even benchmark that impact against online tools like Web application firewalls.)
The combination offers a more holistic and quantified picture of development and application efficiency, and empowers modern software developers to see the differences and benefits of various development tools and methodologies. Data is power, and the integration of AVM with New Relic helps bridge the gap between offline development and online data and reporting.
For more on using Lucent Sky and New Relic together, see: Lucent Sky Works with New Relic to Put Off-Line Security Into Run-Time Analytics or visit newrelic.com/lucentsky.