Today’s developers are no longer seen as single subject-matter experts. The need for secure, production-ready software, combined with a more rapid software development lifecycle (SDLC), has pushed developers to adopt broader skills across QA, operations, and even security to ensure software is secure in production.
This need to “shift right,” meaning to gain insights from applications in production for security-focused development, is at a critical junction for SMEs and large enterprises. Developers are creating security programs as a framework for safer product releases, but this can be a daunting task especially for development leaders on small teams. If you need to find a place to start, here are three key questions your program needs to answer with recommendations from DevOps leaders across security, healthcare, and financial services.
How can my team release several times a day or week and not knowingly introduce new vulnerabilities?
Achieve code safety through shared responsibility between teams.
Financial services firm Remitly creates autonomous product teams that not only include developers, but also product managers and marketing professionals. “The focus is not to split teams up into siloed islands, but to make each team take responsibility for its code and product,” says Kevin Hanaford, Director of Security Infrastructure and Information technology at Remitly.
How can I build the basic processes, leverage secure coding practices, and use automated tooling that form the basis of an effective application security program?
Equip your developers with an instantaneous feedback loop.
“As regulatory controls are deemed necessary, we need to push those down to the developer,” says Kim Smathers, Head of Information Security for Snapdocs. “It is in our best interest to create an environment for the developer where the developer is getting feedback immediately, all the way through the process—stop signs that say, don’t go forward, go back and do it this way instead.”
What are the other means to embed security in the SDLC and in production to defend our web layer assets?
Designate a security champion in every development team so security knowledge is decentralized.
LeanTaaS develops software that increases patient access to medical care by optimizing how health systems use expensive, constrained resources. Chandra Kalle, Senior Director of Engineering at LeanTaaS, has made sure that each development team has nominated a member to be responsible for security.
Having a security champion is the difference between a development group that merely complies with policy and a group that focuses on better software security.”