Skip to main content

4 best practices for cultivating developer security adoption

Written by:

April 20, 2023

0 mins read

Implementing adequate software supply chain security is a challenging feat in 2023. Attackers are becoming more sophisticated, and the growing complexity of modern applications makes them difficult to defend. We’re talking microservices, multi-cloud environments, and complex workflows — all moving at the speed of business.

To address these challenges, the Snyk team organized two roundtable discussions, one held in North America and the other in EMEA. The roundtables included the following guests: 

North America Session:

  • David Linthicum, Chief Cloud Strategy Officer at Deloitte Consulting

  • Mic McCully, Field CTO at Snyk 

EMEA Session :

  • Khadir Fayaz, Group Vice President, Digital and Technology at CBRE

  • Simon Maple, Field CTO at Snyk

According to these experts, security success starts by enabling developers to secure their applications — from code to production. But this level of developer security adoption requires the right tools, processes, and, most importantly, the right culture. 

In the modern software pipeline, developers touch every aspect of an application’s creation: its code, infrastructure, and cloud deployment. Because of this, security must start with the development teams and requires more than the right tools and processes. Security depends on a culture that supports the continued use of these tools and processes. 

This post will discuss lessons from our security experts and the four best practices to cultivate developer security adoption.

1. A workflow mentality, not an audit mindset

To empower developers and encourage them to participate in security, you must translate audit-related language into the context of the development workflow. 

Mic McCully articulates it as “switching from this audit mentality to this workflow facilitation. I don't want to just inspect and discover things; I want to provide guidance and give you very specific details on how to solve things. It's different to telling somebody in security vocabulary, …versus saying, ‘We found this, you need to change this library from this version to this version.’”

It’s all about taking a solution-oriented approach that explains the vulnerabilities’ locations within the developers’ native workflows. This mentality bridges the gap between the security risks and the actionable steps needed to resolve them.

2.  Both bottom-up and top-down efforts

While security needs to start from the bottom up, with developers securing their code from the start, top-down support is also required. 

Simon Maple explains, “There needs to be this top-down way of saying, ‘Hey, you know, from the CEO down from the leaders from the board, they recognize security as a priority.’...I love the idea of callouts, particularly from the engineering team, to say, ‘This team did this, this sprint, this month, or this quarter; let's celebrate them.’ That's trying to encourage others to do that. But that needs to come from that top-down; you need the CTOs and the VPs of engineering to be able to do that. And to do that, they need [the leadership] to empower them to say, ‘Hey, we're going to allow you to spend some of your sprints and some of our engineering time on these kinds of efforts. And, you know, it's something that we celebrate together because it's something that is our goal.’”

The success of the development team’s security efforts ultimately depends on the leadership’s priorities. Security takes time and resources, so without the proper support, a fully-functioning developer security program is not possible. 

3. Frictionless developer experiences

It’s also essential for developers to have frictionless experiences as they implement security into their daily workflows. This is where the right tools and processes come into play. 

Khadir Fayaz says, “We need to look at the frictionless experience of the developer: ‘How do I make sure the release I have is secure? How do I fix the right thing so that my release can be secure and [so I’m] not worried about the 100 critical issues that are showing up that I need to fix? We need to bring context. We need to bring expert ability. We need to bring data together in a highly integrated, orchestrated way to enable developers to prioritize fixing the right issues for that particular release.”  

The right culture stems from using tools and processes that empower developers rather than confuse or overwhelm them. 

4. Support from the security team

While it’s common to see security enablement for development teams, it’s often rare to see development education and training for security teams, which our speakers say is as important as pushing for developer security training. 

Mic says, “The security teams need to understand and comprehend development. They need to know how these teams work; what are their Gitflow processes? How was the application released? What are the decisions that are being made?”

To succeed together, security and development teams need to understand each others’ worlds — their goals, workflows, and priorities.

Making developer security adoption a reality across your organization

Establishing developer security is essential to keeping up with today’s security demands. It requires the right level of collaboration between development and security, strong support from the leadership team, and tools/processes that facilitate a frictionless experience.

To learn more about developer security, listen to the complete recordings of both “Cultivating Developer Security Adoption in the Enterprise” roundtables for North America and EMEA.

In addition, learn how Snyk helps organizations establish a culture of developer-first security with developer-friendly security tools and educational resources for developers and security pros alike.

How CISOs are Transforming their DevSecOps Strategies

500 devs to 1 security professional is the reality of today. The security pro’s role must transform into an aware, knowledgeable, supportive partner capable of empowering developers to make security decisions.