2021 is now firmly in our rear view mirrors. But as we approach the middle of 2022, the lessons of the past year still resonate, especially when it comes to app security. As in previous years, mega breaches and high-profile ransomware attacks were nothing new. What felt different were the responses, both from governments and private industry. We may see 2021 as a crucial security turning point: the year we call for action to advance our collective security practices. If 2021 called for action, will 2022 be the year that answers those calls?
A lot of digital ink has been spilled on the need to “shift security to the left,” which in most cases means putting the tools commonly used by security professionals in the hands of software developers. The idea is that as a result of scanning applications for weaknesses early in the development process, development teams will be able to identify and fix software vulnerabilities before they reach production. Ideally, this will relieve overburdened security teams of having to reactively deal with these vulnerabilities just before or even after release, freeing them up for more strategic and proactive security work.
While this is sound in theory, what often happens in practice is that development teams run the prescribed security tools, but don’t have the knowledge or support to fix everything themselves, so vulnerabilities eventually they continue to reach the security teams. Scanning and passing downstream vulnerabilities to overworked appsec teams doesn’t really live up to the promise of the shift to the left. It just shifts the problem to the left.
The Security Skills Gap
GitLab’s 2021 DevSecOps Survey found that more than a third of developers surveyed felt “fully responsible for security in their organizations (up from 28% last year), while 32% said they share the load with other teams.” The expectations placed on development teams when it comes to security only increase. But presenting security scan results without any guidance on how to fix identified issues or explain the potential impact is frustrating for developers, who may choose to ignore the results in favor of delivering code faster, putting the burden back on teams. of AppSec. This increases the friction within the equipment and the release cycle time.
For developers to deliver on the promise of shifting to the left, they need real-time security education that enables them to identify and fix security vulnerabilities as they arise, proactively stop security issues, and communicate and assign security responsibilities. within their teams. Organizations continue to give enterprise developers additional security responsibilities without providing any support or education on how to respond to security alerts.
The reality is that most developers are not security experts. Even experienced software engineers don’t have time to learn everything in the vast universe of security. What they need is relevant information presented to them. where and when have to understand a specific security problem. That’s why it’s critical that software development platforms meet engineers where they are and provide context-specific, real-time, and continuously updated security training options. Integrated security training is the best way to ensure developers are informed in real time, without offloading security work to already overtaxed security teams.
However, these skills are rarely addressed in academic courses or coding bootcamps. Although most organizations require software developers to complete annual security training, these workshops typically include a generic slideshow or video about software vulnerabilities and issues. This style of training rarely leads to meaningful understanding of the content it contains. Additionally, the time gap between learning and applying knowledge reduces the potential for long-lasting engagement and retention.
Empowered developers drive security
Unlike previous generations of software developers, who learned primarily from books and academic courses, younger generations of developers learn using online resources like blogs, videos, and bootcamps. In fact, a Stack Overflow study found that nearly 60 percent of developers surveyed learned to code from online resources. The platforms we use to develop software must evolve to meet this new style of learning.
Developers are under enough pressure to deliver code efficiently. Instead of bogging them down with long, unwieldy training, they should be given small coding challenges that provide specific, context-appropriate lessons to build practical skills. This helps reduce the time gap between learning the new skill and putting it into practice, allowing developers to increase their muscle memory so they can identify security issues as they code, further reducing the number of common vulnerabilities that appear at the beginning. of software creation.
As more organizations adopt a workflow path that allows developers to resolve vulnerabilities faster and earlier in the process, over time, they will be able to deliver secure code at speed while improving the quality of their release. Secure coding training within the DevOps workflow automates and scales remediation support for developers and allows application security teams to focus on proactively mitigating any security risk and strengthening the application security posture. organization. That is the true potential of shifting security to the left.