"Once the coding is done, security teams (or customers) find flaws. Scanning tools also find flaws, often resulting in reports that seem never-ending. Coders are constantly yanked away from new development to re-learn what they wrote, locate bugs, patch them, and release fixes."
"This frustrating process is often called the find-and-fix cycle. Security and QA teams use vulnerability scanners and penetration tests. When problems are found, as they will be, developers work from the bug reports, set up triage queues, and sometimes dedicate blocks of time to remediation sprints."
"Find-and-fix isn't so much a development strategy as it is a reactive response to shipping code. The hope is that security flaws (all flaws, really) can be identified and fixed after release, but before they create serious harm or before your customers show up at your door with pitchforks and torches, demanding reliable code."
"Some security flaws are found so deep in older code that fixing them isn't practical. Code change after code change has been layered on an already shaky, compromised foundation. Getting to the root cause would requi"
Continuous deployment causes security issues to surface repeatedly as new code, dependencies, and vulnerabilities appear. Security and QA teams rely on vulnerability scanners and penetration tests, producing bug reports that pull developers away from new work. Developers then triage issues, patch flaws, and release fixes, but the cycle repeats with each new release. This find-and-fix approach is reactive rather than a development strategy, aiming to identify and fix problems after release but before serious harm. Some flaws are deeply embedded in older code, making remediation impractical and requiring extensive changes to reach root causes.
#application-security #continuous-deployment #vulnerability-management #secure-development #devsecops
Read at ZDNET
Unable to calculate read time
Collection
[
|
...
]