
## 1. Security as an afterthought

Developers heavily outnumber security specialists in most organizations. Having developers create code and involving security at later stages in the development cycle is a losing battle because of the high speed and volume of releases. This approach doesn’t scale to cover all applications and keeps vulnerabilities from being discovered until it's too late—resulting in vulnerable code being pushed to production.

> Solution: Shift security left and scale security efforts to cover all applications, starting from the early stages of development.


## 2. Silos and Dev-Sec friction

Traditionally, communication between developers and security teams tends to be issue-driven or incident-driven. But bulk communication by only email, PDF reports, or GitHub issues leads to friction and is frustrating for everyone.
For developers, issues raised by security might not matter for day-to-day development or may include feedback for a project that should’ve already been finalized. Fixing these issues only adds stress around rescheduling sprint tasks and effort—making security a roadblock for innovation.
For security teams, it’s frustrating not to be involved during the architecture, design, and early phases of development. It can also be challenging to explain organizational and <a href="https://resources.github.com/whitepapers/Application-security-guide/">application security</a> risks to developers who don’t have years of security expertise. In the end, poor communication leads to less collaboration and empathy overall.

> Solution: Make security part of development by integrating tools into your developer workflow. Promote discussions and asynchronous collaboration between both teams.


## 3. Security as a checkbox exercise

Just like the importance of security varies between organizations, actual security practices also vary within organizations themselves. The difference between formal security policies and how they’re put into practice can be confusing and make prioritizing security issues even more complicated.

Also keep in mind that application security is just a small part of an organization’s overall cyber security efforts, and tends to be isolated from development and CI/CD. This leads to bad habits like:

Valuing quantity over quality. Focusing on a high number of low-quality security scan results or vulnerabilities doesn’t solve larger problems and only adds more work for developers.
Making security a development problem. Plugging raw security scan results into issue trackers and just assuming that developers will fix them all desensitizes developers to security-related issues.
Not measuring value. Just like any other initiative, the value and ROI of application security efforts should be continuously measured and evaluated. Otherwise, a lack of data can hold your organization back—and not show evidence that security improvements are being made.

> Solution: For an immediate fix, focus on pushing a limited number of real security issues, then prioritize and present them to developers instead of sharing a flood of false positives. On a larger scale, look for security tools that can “codify” new security issues and prevent them from ever being merged into a production branch. Remember: your security tools should actually improve your code—so keep measuring the value and impact of your application security program over time.


<br>
<table>
  <tr>
    <th>
      <h4 class="h4-mktg">Questions about application security?
We’re here to help.
</h4>
    </th>
    <th>
      <h4 class="h4-mktg"><a href="mailt:sales@github.com">sales@github.com</a>
<a href="https://github.com/features/security">https://github.com/features/security</a>
</h4>
    </th>
  </tr>


Secure software is critical for business success today. Here are some common application security pitfalls every software team can watch out for.

Resource Page for /security/three-appsec-pitfalls-security

Three AppSec pitfalls every security leader can avoid

/security/tools/ghas-trial

GitHub Advanced Security (GHAS) enables DevSecOps teams to prioritize innovation while maintaining robust security measures. At GitHub Universe, we explored how the AI-powered features within GHAS surface issues in the context of the development workflow, so vulnerabilities are fixed in minutes, not months. Now you can, too, during this exclusive on-demand webinar.

What to expect:
- Discover how AI-powered features in GHAS help developers ship secure software, faster.
- Get ahead of the revolutionary changes that are reshaping the security landscape.
- See real-world examples of AI-powered security tools in action.

From prevention to remediation, AI-assisted tooling changes everything.

The future of secure software development is here. Let’s dive in. 

A dark background with three large, gradient-filled circle and square, overlapping shapes positioned partially off-canvas, from the top-right of the image. Webinar: Transforming application security with AI.

Resource Page for /security/transforming-application-security-with-ai

Transforming application security with AI

![banner promoting the event including the companies presenting](//images.ctfassets.net/wfutmusr1t3h/7xuRD3AFLtWt2ztUC0z1ag/21080b1c7cff9c9ec69516b836f650b4/237482938-e50a7dd3-3951-4920-9dfe-a8c201d87a1e__1_.png)

__Key takeaways:__

- The latest in application security—and what’s next.
- How to catch vulnerabilities early with GitHub Advanced Security.
- How to implement automated security testing in mobile developments.
- The importance of visibility into application vulnerabilities and weaknesses.

<br /><br/>
__Application security 3.0 : What’s next for Application Security with Niroshan Rajadurai ( GitHub )__
<div class="embed-responsive embed-responsive-16by9">
  <iframe src="https://www.youtube.com/embed/DrIKurdWASQ" width="640" height="375" frameborder="0" allowfullscreen></iframe>
</div>

<br /><br/>
__API Security 101: Best practices for early vulnerability detection and prevention with Colin Domoney (42Crunch Head of Research), Dan Shanahan (GitHub Security Architect)__
<div class="embed-responsive embed-responsive-16by9">
  <iframe src="https://www.youtube.com/embed/gldbJrv5kd4" width="640" height="375" frameborder="0" allowfullscreen></iframe>
</div>

<br /><br/>
__Find and fix mobile security issues fast: a deep dive into NowSecure GitHub Actions with Andrew Hoog (NowSecure Founder)__
<div class="embed-responsive embed-responsive-16by9">
  <iframe src="https://www.youtube.com/embed/VpiGAiPvr-0" width="640" height="375" frameborder="0" allowfullscreen></iframe>
</div>

<br /><br/>
__Scale up your Enterprise AppSec with Scott Kuffer (Nucleus Security COO)__
<div class="embed-responsive embed-responsive-16by9">
  <iframe src="https://www.youtube.com/embed/B1rJN8v41tY" width="640" height="375" frameborder="0" allowfullscreen></iframe>
</div>

Discover how to proactively secure your software and defend against potential threats at our virtual summit, now available on demand! Gain valuable insights and practical strategies to enhance your code security and reduce risk with industry experts from 42Crunch, NowSecure, and Nucleus Security.

/security/

Three AppSec pitfalls every security leader can avoid

Transforming application security with AI

Application Security 3.0