We’ve said it before but it bears repeating: application security isn’t optional anymore. Customers at every level are demanding that the applications they use are secure from the start. Software vendors are well aware of this. According to a recently published report commissioned by Mend.io from TechTarget’s Enterprise Strategy Group, 85 percent of software development organizations surveyed agreed that application security is a board-level priority, but barely half believe they are able to effectively remediate a critical vulnerability.
Those organizations that do feel confident in their ability to address and prioritize vulnerabilities are 3.3x more likely to have extensively incorporated security into their development processes (DevSecOps). This makes sense. Putting some security processes into the hands of developers means addressing concerns earlier, giving your teams the ability to see issues quickly and in context, and the time to apply thorough remediation before release.
Making security a developer responsibility is a smart move for organizations of any size, but it must be implemented correctly. Here are some things you can give your devs to help them keep your applications secure while still meeting release deadlines.
We’ll be going more in-depth on how to foster great security culture next week. For this blog we’ll just say this: developers will listen and prioritize security if it comes down from the top. Make the decision to prioritize and shift security left – that is to say, earlier in the software development lifecycle (SDLC) – and make sure that message comes down loud and clear from the highest levels of the organization.
Equally important to shifting security left is shifting smart by making sure that prioritizing security doesn’t cause any significant increase in work or disruption in workflow for your developers. Shifting left is about time and priorities. Shifting smart is about tools. Which gets us to…
Give developers tools that integrate seamlessly into their work environments and thus work without the need to make any major changes to their habits or workflow. Software composition analysis (SCA) for open source code and static application security testing (SAST) for custom code can both easily integrate into your developers’ favorite IDEs and find (and often automatically remediate) security vulnerabilities as developers work. As an added bonus, a good SCA tool (we prefer Mend SCA, of course) can generate SBOMs and keep your compliance teams happy by automatically rejecting the use of open source libraries with licenses that make your code vulnerable to legal risk.
Another tool to consider is a dependency management tool that can automatically keep open source dependencies up to date. Although the security benefits may only be a secondary interest, developers love dependency management tools and most are probably already using one. Even so, it’s a good idea to make sure these tools are used consistently by all of your developers.
What devs don’t know can hurt you. Ongoing security training that keeps developers abreast of the latest security threats and vulnerabilities, refreshes coding best practices, and drills them on security skills is a vital part of implementing security in the development stage of the SDLC. Investment in security training and awareness programs can save a lot of money and heartache in the long run.
It’s also important for your developers to know and collaborate with your security team. Allow some time for security code reviews and give your developers feedback on what they’re doing right and how they can improve.
Knowledge is power. While good relationships with security staff are vitally important, developers also need resources at their fingertips. Good security documentation serves as a reference guide and knowledge base for developers whenever they need it. Help developers implement security features correctly and consistently by providing them access to security documentation and training that gives them clear guidance, compliance information, and a history of past vulnerabilities, remediation strategies, and changes.
Additionally, encourage developers to utilize established security frameworks (like NIST’s Cybersecurity Framework) and libraries. Having documented standards that developers can use project to project saves time and helps new developers onboard swiftly.
Security teams are notoriously understaffed and overworked. Passing some of the work over to developers and giving them what they need to succeed not only lightens the load on security teams, but can also improve the overall flow of your software development lifecycle, giving you the ability to release secure software faster.