The DevOps culture promotes a shared understanding between developers and operations to ensure that the responsibility for creating a successful outcome is distributed evenly. The efficiencies in this approach enable businesses to produce software at an ever-increasing pace.
As the pace of software development increases, security teams are struggling to keep up. And, the widespread use of continuous integration and continuous delivery (CI/CD) to bridge gaps between developers and operations by enforcing automation can further exacerbate the gulf between development and security.
The current conditions in many organizations leave the outnumbered application/product security professionals feeling overwhelmed and frustrated.
In this blog, I'll review how our State of Modern Application Security: Insights From 400+ AppSec Practitioners suggests that a developer-first approach is the only way to address this application security challenge. Additionally, I'll outline a step-by-step method for how organizations can shift security left and leverage the benefits of DevOps culture.
The benefits of a developer-first approach to application security
A significant benefit of a developer-first AppSec environment is the increased collaboration between these teams. Traditionally, this relationship has been one of tension and frustration, but the developer-first approach allows for a more efficient and effective exchange of information, leading to better application security. According to our survey, if organizational security leaders could reduce the friction between the developer and security teams, they believe it would have the most impact on improving their application security program.
Security teams often present developers with a host of last-minute and unprioritized security issues. This unanticipated work slows the build down and creates friction between the groups.
A developer-first program enables developers to identify and address security needs earlier in the development lifecycle while also prioritizing vulnerabilities based on context.. This workflow makes it less expensive, faster, and more efficient to identify and resolve issues as early as possible, preventing the need for developers to pull off another project to come back and build fixes.
The security team can focus on higher-value tasks if they shift security functions to the left. This allows time for AppSec teams to build secure "paved roads" for developers to follow, which creates a more productive relationship between the two groups.
How to build a developer-first AppSec program
Step 1 - Facilitate Cross-Functional Understanding:
It is essential to understand how developers work to succeed in AppSec. AppSec is closely related to software development, so security leaders need to understand developers' processes and tools. Meeting with development teams can help security leaders better understand how developers build and deploy code and what systems they depend on.
Step 2 - Integrate AppSec in Developer Workflows:
Organizational leaders should ensure that they have integrated AppSec deeply into development workflows for it to be effective. They should do this early in the design phase or when significant software changes have been made. Security must be a part of the development process to understand how the team works and the best time to perform security risk assessments, threat modeling, and other tool-based testing.
Security scans can identify and fix architectural flaws in software post-development, but doing so can be costly and create conflict. Running security tools and scans post-development may be easier, but it's essential to include test and scan results as part of a CI pipeline. Including the results of security tools as part of a CI pipeline is more effective and efficient than sending developers a report months after deploying the software.
Step 3 - Empower Developers:
Organizations should empower Dev teams to be self-sufficient in their own security testing processes. This additional responsibility will help to remediate the gap between the number of developers and security engineers in most organizations.
Designated security champions can help shift security left by ensuring that developers consider security throughout the software development process. These champions require only minimal support from the AppSec team, which allows the AppSec team to focus on scaling the security function.
Leaders need to clarify that software developers are responsible for the security posture of the code they build and then enable them to succeed. Organizations should focus on introducing modern and developer-first tools and simple processes to drive adoption and accountability.
Step 4 - Enforce Accountability:
Developers empowered to make security decisions and own the security posture of their code must be held accountable for their actions. Security professionals should maintain oversight and enforce accountability to ensure that developers take the necessary precautions to keep information safe.
Developers are responsible for security decisions related to the code they write. This includes decisions about whether or not to fix vulnerabilities and how to mitigate risks. However, developers must document these security-related decisions so that security professionals can report them to senior management. This way, the business can include them in its security risk calculations.
Step 5 - Create Security Guardrails:
Leaders should not expect developers to be security experts, that's not what they have trained to be, and it's not their job. Organizations should use AppSec teams to enable developers by giving them access to secure frameworks, libraries, and defaults, making the most secure option the easiest. Security teams can provide these frameworks, libraries, and defaults so that developers don't have to spend time researching the best options and instead focus on building features and functionality.
Developers need to be able to work quickly and efficiently, so implementing any process that slows them down will only lead to shortcuts. Security must be a priority, so the organization's procedures should be designed to enable developers to write secure code with minimal hassle.
A developer-first approach is the future
As development teams take on more responsibility for security tasks, AppSec teams need to shift their focus to providing security expertise and guidance for solving complex challenges. They must also maintain oversight of the developer teams' performance on security, ensuring that dev teams promptly identify and address critical vulnerabilities. While the developer teams may own specific tactical security tasks, the AppSec team remains responsible for making risk-based decisions and ensuring security is a priority across the entire development organization.
Application security is becoming more integrated into developer workflows. This integration creates opportunities and challenges. Organizations can use AppSec to help developers build secure software faster, making the digital transformation journey safer and faster.
Developers and security teams often have a difficult time working together. This discord can lead to security processes that are complicated and time-consuming for developers. This complexity can, in turn, lead to a lack of security features in the software, which can leave companies vulnerable to attack. To achieve security at scale, it is crucial to take a developer-first approach that ensures security processes are uncomplicated for developers. Only then can AppSec teams focus on higher-value strategic work.