/apr 16, 2021

The First Step to Achieving DevSecOps Is Shifting Security Culture Left

By Hope Goslin

To achieve DevSecOps you need to shift security left. Sounds simple, right? Well, it’s easier said than done.

A recent survey conducted by SANS Institute found that 74 percent of organizations are deploying software changes more than once per month – an increase in velocity of nearly 14 percent over the past four years. To release software monthly, weekly, or even daily, security has to be integrated into the development process, not tacked on at the end.

Delivery velocity

By scanning code for vulnerabilities in the development phase, flaws are easier and more cost-effective to remediate. In fact, our State of Software Security report showed that organizations following DevSecOps best practices remediated flaws significantly faster – and had less security debt.

But adding security testing into early stages of development is a disruption to the roles of both developers and security professionals. With security in the development phase, developers take on more responsibility for testing and remediating vulnerabilities, and security professionals transition to more of an oversight role. This shift requires training developers in secure coding and remediation tactics, but this is a heavy lift for a lot of organizations.

So how do you get your organization – especially developers – onboard with shifting left?

A good first step is to shift security culture left. In other words, you should begin by helping the development team be more security-minded.

Start by understanding how the development team works. What tools and processes do the developers use? How do they build software? And see if there are any ways that security can be integrated into these tools and processes so that it doesn’t add extra work for the development team.

Then start looking for ways to automate the security tests into the CI/CD pipeline so that the developers don’t have to manually run tests. If security tests run automatically, developers can fix code immediately instead of waiting to hear back from the security team. Automated scans also ensure more frequent scans and a steadier cadence. When developers have to scan manually, it’s easy to forget about a scan or intentionally skip a scan to save time. Automating static analysis scans in the build process is a good place to start.

Lastly, arm developers with the tools and training that they need to fully understand security best practices. Some developers might benefit from instructor-led security courses while others might like on-demand courses or hands-on training tools like Security Labs.

Many organizations with mature AppSec programs also recommend implementing a security champions program for security training. A security champions program is a way for elected developers to bond with security professionals and learn detailed security best practices that can be shared with their broader scrum team.  This program also acts as a force multiplier for security teams with limited bandwidth.

To learn more about AppSec best practices and practical first steps – like which AppSec testing types to deploy first – or for additional information on shifting security left, check out our guide, Application Security Best Practices vs. Practicalities: What to Strive for and Where to Start.  


Related Posts

By Hope Goslin

Hope is part of the content team at Veracode, based in Burlington, MA. In this role, she focuses on creating engaging AppSec content for the security community.