Technological innovation doesn’t slow down when it comes to software, but neither do cyberattacks. The rapid pace of modern programming brings the need for agility and security that can scale and improve to meet business needs. Organizations that want to keep up with innovation while staying secure need more than just capable tools in their tech stacks; having the right people in the right seats to champion your security efforts throughout the development process is also key.
That’s where security-minded developers come in. In their 2021 Global DevSecOps Survey, GitLab discovered that developers are already reporting new job responsibilities associated with security. At the same time, the pace of software development is only speeding up with more organizations incorporating new components like microservices and AI to save time. In fact, 60 percent of developers who took the survey said they are releasing code two times faster than before, and 39 percent feel fully responsible for security at their organizations – up from 28 percent last year.
This shift in responsibility can come at a cost if developers aren’t prepared, however. Tim Jarret, Senior Director of Product Management here at Veracode, recently sat down with Charlene O’Hanlon of MediaOps to chat about this very topic. In the March episode of TechStrong TV, Tim and Charlene discussed the evolving developer role of today and how organizations need to solve challenges as they shift more security responsibilities to developers.
Previously, most companies simply bolted security on right before they pushed code to production. But now, Tim said, they’ve discovered that this model isn’t efficient or effective. “DevSecOps is the natural outcome of years and years of security coming in at the end and telling developers that they can’t ship because there’s a requirement they need to meet that they didn’t know about and didn’t have the tools for in the first place,” he explained.
Just as development teams responded to the challenges of waterfall methodologies by bringing QA into the mix, making it part of the process, and automating more testing procedures, Tim thinks we’re seeing the same motion happening with security right now (albeit slowly). “The response that I see on most development teams is that if this is going to make my release be at risk, I’m going to figure out how to address it earlier in a way that doesn’t keep me from doing all the other great stuff I need to do to get the product out,” Tim explained. It’s a mindset change that needs to come from the top down.
Changing the mindset to keep up with demand
It isn’t enough to just give developers the tools they need to properly write more secure code. DevSecOps requires a mindset change to keep up with demand, according to Tim and Charlene. “We’re not shipping software four times a year anymore,” Tim said. “We’re shipping it ten times a day and the processes, historically, don’t scale for that.”
There’s a critical element of education missing in some organizations too. “It’s hard when the developer hasn’t had to think like an attacker or consider all the ways someone might come in and open all their code up,” Tim said. “That’s not the mindset that’s taught in a lot of universities, that’s not a mindset that a lot of folks get in on-the-job training, so we have to try to rectify that however we can.”
Part of the challenge for most organizations is finding ways to engage developers and turn them into Security Champions. In addition to secure coding training with platforms like Veracode Security Labs, one way to start security education early on is through competitions like the Veracode Hacker Games. Hacker Games challenge students at the university level to improve their security skills so that they’re more prepared when they graduate and join the workforce.
“I think there are things we can do at the very beginning of the talent funnel,” Tim noted. “But given all the developers we have in the world already, we have to help them think about how someone breaks their stuff, and also arm them with what they need to know to address those things, code defensively, and correct issues.”
Watch the full episode of TechStrong TV here.