Many application security tools generate a paralyzing amount of noise. As a result, developers have to spend time they don’t have separating false positives from real security weaknesses. Other tools require manual, tedious tasks to initiate scans that take too long. This process disturbs the natural flow of development. To put it simply, these tools can be annoying. And “annoying” can quickly turn into “infuriating” when the security review process delays deadlines.
This raises serious questions about the impact application security tools have in organizations that want to shift left. The point of adopting these solutions is to remove exploitable software vulnerabilities at the application layer. But if they work against the goals of developers, how can we expect those developers to use them? The answer is, we can’t.
The impact of application security tools will ultimately depend on whether they are embraced by their users: the developers. In other words, if developers don’t use a tool, it won’t improve their organization’s security posture. To maximize their impact on software security, application security solutions must support developers and their goals.