“Many companies today are not devoting sufficient attention to aspects of application security. Most companies invest considerable resources in securing infrastructure, such as firewall, when in fact, hackers can exploit software vulnerabilities to break through”, said Mati Siman, CTO and founder of Checkmarx in an interview for people and computers.
Siman spoke of a well known problem regarding this matter: “Many times. information security issues are revealed only at the end of the development process of the application, which naturally is really close to its release date. Consequently, there is a dilemma whether to release an application knowing it is vulnerable, or postpone the launch until the defects are fixed. This leads to many conflicts between development teams and information security personnel. It is worth remembering that repair costs at this late stage are much higher, in the range of hundreds or even thousands, then if repairs are done during development. ”
But Siman also offers a solution to this problem: “examine the source code of the application while it is still in development, and make sure programmers correct any defects in security discovered as soon as their created. The ideal way to do this is integrating security right at the initial development, and including aspects in information security an integral part of the development process of application, the so-called SDLC (Software Development Life Cycle).
Checkmarx was established in 2006 and has about 100 employees. “We are developing a product that scans automatically and accurately the source code of the application, and then finds issues of information security, which in turn presented to the programmers, along with guidelines the best way of fixing these problems,” said Siman, adding that “organizations now refer to bugs in information security differently usability or performance ones. it’s important that organizations incorporate this testing process in the development process, just like QA. Security cannot be separated from the rest of the processes.
Siman finished by quoting a recent research by the Ponemon Institute, saying that the cost of the damages from a security leak that wasn’t taken care of during the development process is 7.2 million Dollars on average, it’s detection process takes around 80 days on average and over 4 months (123 days to be exact) to fix. Alternatively – If a bug is discovered during the Build phase it costs 240$, During QA phase it costs 960$ and during production its cost measures 7,600$ – these figures show why it is necessary to detect the security leak early in the process as possible”.