Getting developers to address security issues during the development of their applications as opposed to after they have been deployed is a cherished goal of most IT organizations. Fixing a security issue after an application is deployed is obviously several orders of magnitude more expensive.
To help drive awareness of security into the application development process, CA Technologies has plunked down $614 million to acquire Veracode, a provider of a suite of security testing software that is delivered using a software-as-a-service (SaaS) model.
Mordecai Rosen, general manager for the security business at CA Technologies, says Veracode is the latest in a series of acquisitions that the company has been making to expand its DevOps portfolio.
“We see this as an opportunity to bridge DevOps and security,” says Rosen.
Veracode CTO Chris Wysopal says the challenge going forward is to make it simple enough for developers to embrace security within the context of their existing application development projects.
“Application security can’t be a separate discipline,” says Wysopal.
The degree to which developers address security issues at the front end of the development process affects everything from how secure the application is to the amount of risk being assumed by the organization that deploys it. The trouble is that no matter how long that’s been the case, far too many developers have for one reason or another not made application security a core part of their ethos.
A major reason for that, of course, is that security was either viewed as too hard to implement and verify or simply seen as someone else’s job. But as more developers are finally held accountable for the security of the code they write, there’s finally starting to emerge a corresponding amount of interest among developers in finding the most efficient way to achieve it.