Micro Focus is now part of OpenText. Learn more >

You are here

You are here

5 steps to building a developer-first application security program

Harshil Parikh CEO & Co-Founder, Tromzo
Two hands reaching across agap

The DevOps culture promotes an understanding between developers and operations that achieving a successful outcome for the software they build requires them to share the responsibility. The efficiencies in this approach help businesses to produce software at an ever-increasing pace.

But as the speed of software development increases, security teams are often left struggling to keep up. In many organizations, application security professionals are feeling overwhelmed and frustrated.

A good alternative is a developer-first program that allows companies to identify security needs and resolve them early in the development lifecycle. It is less expensive, faster, and more efficient to shift left—to identify and sort out issues early—because developers don't have to pull away from another project to go back and build fixes.

By shifting security functions left, app sec teams have time to focus on higher-value security engineering tasks and build secure "paved paths" for developers to follow. In this way, the security team works with developers rather than creates speed bumps or barriers to developer productivity.

Below is a step-by-step plan for how organizations can shift their security program left to magnify the benefits of the DevOps culture.

The benefits of developer-first app sec

Results from my firm's recent survey, "State of Modern Application Security: Insights From 400+ AppSec Practitioners," support the idea that a developer-first approach to application security can keep the app pipeline running smoothly.

When asked what would have the most influence on improving their app sec program, respondents' top answer was reducing friction between the developer and security teams. A significant benefit of a developer-first app sec environment is the increased collaboration between these teams.

Normally, in order to do their jobs, security teams present developers with a host of last-minute issues. This unexpected work slows the business down and creates friction between the teams. And sending a developer a 100-page scan results report months after the dev team has deployed the software will undoubtedly cause friction.

How to build a developer-first app sec program

Here's what you need to do to create an effective practice.

Step 1: Promote cross-functional expertise

It is essential to understand how developers work. App sec is deeply coupled with the software development process, so for any app sec program to be successful, security leaders need to know how software is built.

Your security teams must meet with development teams to understand how they build and deploy code and what systems they use for that process. This approach helps your security team better understand the processes and tools they will need to be familiar with.

Step 2: Integrate app sec into your software process

Organizational leaders should integrate app sec deeply into development workflows. For application security to be effective, it has to be a part of the development lifecycle. Once security pros deeply understand how dev teams work (Step 1), you can determine the best time to perform a security risk assessment and run threat modeling, architecture review, and other tool-based testing. Teams should perform threat modeling early in the design phase or when significant software designs have been modified. It may be easier to run security tools and scans post-development, but including the results of these tests as part of a CI pipeline is much more effective and efficient.

Step 3: Empower dev teams 

Development teams should be empowered to be self-sufficient in security testing processes. It's a matter of numbers: The considerable gap between the number of developers in most organizations and their security counterparts continues to grow. It is not uncommon to find 100 developers for every app sec engineer in large organizations.

App sec teams will never grow fast enough to scale with the constantly growing engineering organizations, so the focus must be on scaling the security function, not the number of people on the security team.

This imbalance means that there are large parts of app sec that need to be owned by developers. Designated security champions within the ranks of developers who require only minimal support from the app sec team can help shift security left.

In the survey, app sec professionals said developers who ignore security is the greatest challenge they face. Leaders need to clarify that software developers are responsible for the security posture of the code they build and help them to succeed. Organizations should focus on introducing modern and developer-first tools and simple processes to drive adoption and accountability.

Step 4: Enforce accountability

Leaders must couple accountability for security to the empowerment granted in Step 3. While empowered developers make security decisions and own the security posture of their code, security professionals should maintain oversight and enforce accountability.

For example, a sufficiently trained developer might decide to delay or even omit a fix for an identified vulnerability. But when that happens, the developer must document these security-related decisions and security professionals must report them so senior management can include them in the business's security risk calculations.

Step 5: Provide security guardrails

Leaders should not expect developers to be security experts; that's not their training, and it's not their job. Organizations should use app sec teams to help developers by giving them access to secure frameworks, secure libraries, and secure defaults, making the most secure option the easiest choice.

Build guardrails within the developer processes and systems that ensure they don't go off track and unknowingly make dangerous decisions. The path of least resistance should always be to produce secure code. If the organization's procedures require developers to engage in cumbersome processes to achieve secure code, they will take shortcuts to bypass security.

The future is developer-first

According to the app sec professionals surveyed, reducing friction between developers and security would have the greatest impact on improving their application security. To do this, organizations must adopt a developer-first approach to security.

As development teams continue to own more security testing and remediation aspects, app sec teams need to transform themselves to provide security expertise for solving complex challenges and maintain oversight of the developer teams' security performance. While developer teams might own tactical security tasks, the app sec team will continue to be the experts in making risk-based decisions and driving security accountability across the development teams.

Application security is taking its first steps toward becoming integrated into developer workflows. This integration creates both opportunities and challenges. As organizations strive to make app sec an enabler that helps developers build secure software faster, they also make their digital transformation journeys safer and faster.

CISOs must eliminate the friction that now exists between developers and security so app sec teams can scale their security programs. Achieving security at scale requires a developer-first approach that ensures security processes are uncomplicated for developers so they can focus on shipping great software. Only then can app sec teams focus on higher-value strategic work.

Keep learning

Read more articles about: DevOpsSecure DevOps