Putting the Security Cart behind the Application Production Horse

Putting the Security Cart behind the Application Production Horse

‘Don’t put the cart before the horse’ – what does this mean in application development?

In this case, the cart is application security, and it’s undergoing a steady shift left in the development cycle – long before the ‘horses’ of testing, production and launch.

The explanation for this shift is simple – avoiding security vulnerabilities is much easier at a lower-impact, early development stage, compared with the alternative of allowing vulnerabilities to flow through the development cycle.

As the development cycle speeds up, DevOps teams rely more on the production of multiple iterations of an application.

A security strategy centered on thorough testing of the final product becomes an unnecessary bottleneck for such a high-turnover cycle. Instead, incorporating security into early development phases streamlines an integral yet high-touch process.

Security vendors are taking note of this trend and are stressing the importance of developers in their application security tool (AST) marketing – and it’s working.

Incorporating security into early development phases streamlines an integral yet high-touch process.

In a recent 451 Alliance survey, end users were asked during which phase of development they were testing their applications.

Static application security testing (SAST) caught up to dynamic application security testing (DAST) in 2017 as the most common method of AST. In 2015, 34% of organizations ran these tools after new code was introduced; in 2018, it was 49%. The percentage of organizations running these tools only against production environments dropped from 32% to 23% over the same period.

AST Usage by SDLC phase

An additional bellwether of security’s forward shift in the development timeline is who is actually using the tools.

According to survey data, while the information security team is still the largest user at 42%, that percentage is down from 57% in 2015. On top of that, application development team use went from 23% to 31% over the past three years.

This shift underscores a broader, industry-wide emphasis on both security and productivity in the development cycle.

While it’s clear that security is no longer a problem just among security teams, our research highlights an ever-growing need to operate in the leanest, most efficient environment possible.


The 451 Alliance is an invitation-only think tank for IT executives, technologists, and tech-adjacent professionals. Do I qualify?