The relationship between an application and its security has parallels with any other relationship. At first, there are a few issues, which once addressed, can get fixed quickly. Then comes the honeymoon phase, when the relationship stabilizes and all feels well. But as with all relationships, that phase will come to an end and this all-important question arises: “How do we navigate the end of that period and continue to grow together in a safe and sustainable way?”
For any given application, the honeymoon phase typically lasts about one-and-a-half years, during which time there’s no correlation between the rate of application growth and the introduction of flaws. While the code base of applications grows about 40% per year on average, during this initial phase, 80% of applications do not introduce any new flaws, as found in our recent study. Once that state of bliss ends at the one-and-a-half-year mark, flaws creep in and climb steadily through to year five.
Organizations must take a close look at the honeymoon phase and question: what’s different during the first couple of years that lets applications stall the introduction of flaws – and why do flaws creep in after about one-and-a-half years?
A contributing factor may include the personnel changes in the later phases of an application’s life. For instance, when the original development team still works on the product, the components and practices used to build it are generally well understood. However, when people move on to new projects or new jobs, different developers are brought in, and some information inevitably gets lost in the shuffle. The application may end up in the hands of contractors or people who lack context as to how or why elements were originally implemented. Meanwhile, new functionality gets built to satisfy customer needs, and teams have to also manage that code. In a nutshell, as applications grow, they also become more complex. It takes about 18 months in which the dormant flaws of an application begin to “wake up.”
Navigate the changing relationship
Whether because of increased application complexity or changes in how they are managed, there’s clearly a tendency for flaws to increase steadily over time. But there are steps organizations can take to counter that trend:
We also may need to take a closer look at the length of the application’s lifecycle. And we need to acknowledge the upward trend of flaws as an application. Organizations may need to decide between action and inaction. It's helpful to clearly understand the supportability and quality control phases in the organization. Then, businesses can more confidently introduce discussions about change management, resource allocation, or organizational controls. Risk appetite or tolerance might also come into play if everyone remains aware of the elements accumulating.
Those initial discussions could lead to planned obsolescence for some applications, while also enabling a review of the quality control measures involved in continuous product engineering for applications that won’t get retired anytime soon.
Application lifecycles include a predictable pattern of flaw introduction, but no matter how predictable, like all relationships, they take work. Improving application security means taking the necessary steps—including automation and developer training—to ensure a safe and sustainable lifecycle. There’s no easy fix, but making some of these small adjustments now and implementing a purposeful application lifecycle management program could get teams in the right place in the coming years. It’s the necessary investment in the software security relationship that will let an application savor the honeymoon phase and go the distance.
Chris Eng, chief research officer, Veracode
