“All organizations should have some kind of risk management,” Rao said. That’s needed to create a protocol for how critical security vulnerabilities are handled.
She said one way to do it is to give developers a deadline—one or two weeks—to fix a critical defect. If a query to the defect management tool shows that it hasn’t been fixed by the deadline, “then pause the pipeline. Immediately notify the development team, saying you cannot go to production.”
Or alternatively, “someone needs to sign off—take the ownership,” she said. “Say ‘I know there is a critical vulnerability but I have other controls in place and I need to push this to production.’ The defect management tool helps you control that.”
Defect tracking, she said, can also help improve the quality and security of the code being written by the development team.
“Over months or even weeks, you will be able to see the ROI of what happened with this workflow,” she said. It will keep a log of who on the development team is making the most mistakes, how quickly the defects are being fixed and who fixed them.
“The tool you use has all those metrics,” she said, “so you can see trends. Is the number of vulnerabilities going up? Do my developers need more training? Do I need to help them with instructor-led training, e-learning, or defensive programming? What are some of the vulnerabilities that they are creating over and over again? You get all these insights when you have a very tightly controlled defect management workflow.”
That, Rao added, can be much more effective than a PDF or spreadsheet that nobody looks at. “Having this tight loop where they create the ticket and you’re able to run the specific tool to identify whether they really fixed the vulnerability or not, that’s where you get a lot of benefits.”
The bottom line is to help organizations understand that security defects are just as important as quality assurance (QA). Often, she said, “when teams find QA defects, they immediately create a ticket in Jira, but when it comes to security, they are more likely to say that maybe it’s a false positive.”
But if organizations customize and configure their security tools, they won’t have to sacrifice speed for security.