Security is an undeniable necessity for the survival and success of any company. COVID-19 accelerated digital transformation initiatives across all industries and this shift placed significant pressure on developers to push software to market at unprecedented speed. However, more development cycles also mean more opportunity to introduce vulnerabilities into the code base and higher likelihood of those vulnerabilities making it into production – ultimately increasing the likelihood of cyberattacks.
Digital business mindset
While developing a seamless and successful digital mindset with a security strategy is not a simple task, the effort is crucial for the health of a company. Unfortunately, security tools haven’t always gotten the best rep with developers, who feared the tools would slow them down, reflect poorly on their work, or even cost them their job if something were to go wrong. For example, static application security tools (SAST) often yield false positives requiring significant resources to remediate.
Since remediation advice is often generic, in some cases, developers wind up spending an extensive amount of time reading through lengthy documentation to understand the right fix. So how can organizations create a security-first culture despite these barriers?
Support your developers so they can support you
To determine a strategy, organizations must assess their development teams’ needs, preferences, workload and the programming languages they use. To help development teams write more secure code, companies must take measure of developers’ existing security knowledge and workflows, as well as understand how security impacts their end users.
In the modern software development lifecycle (SDLC), developers perform the majority of application security work. But a GitLab survey found 68% of security professionals feel fewer than half of developers can spot security vulnerabilities later in the SDLC, while 70% of developers shared that they struggle to write secure code and need better guidance.
While training materials do exist, they are often outdated, incorrect, or require too much time to be effectively understood. Organizations must go beyond standard security training, which teaches the basics technicalities like XSS or SQLi, and should equip developers with strategic training that is both relevant and fits into their existing workflows.
Organizations must make it clear to their development teams the benefits of security education in terms of making their workloads easier, more efficient, and less risk prone.
Make security accessible and easy
Scanning, testing, and fixing code inevitably introduces undesired friction into a developer’s workflow. To make writing secure code more palatable to developers, we need to focus on adopting and creating security tools that are purpose-built for developers’ needs. Organizations must ensure that their code analysis processes are not only fast and accurate but that security workflows also fit with the way developers operate to incentivize a smooth DevSecOps process.
Organizations must adopt tools that provide developers with information that is actionable and specific to the programming languages they use, so they can mitigate potential vulnerabilities to deliver the most secure code before it reaches production.
Security products that are built with developer engagement and productivity as the driving principles and can easily integrate into existing workflows to generate automatic results while enabling collaboration, will quickly force antiquated solutions into extinction.
Establish a new norm
To change behavior, developers and security teams alike must understand and buy into the value of a security-first culture. Companies, especially in software, will always prioritize fast development. However, that can no longer come at the cost of security.
Organizations can strive toward a new cultural norm by encouraging a de-facto culture within development teams where best practices, security wins and caution are celebrated and rewarded, and each developer is accountable for the security of the code they write, but also given the tools they need to succeed.