Snyk chats with Shutterstock about building a DevSecOps culture

While it’s relatively easy to buy modern security tools, the culture of a company can have an enormous impact on the successful rollout of new security processes. In fact, one of the greatest hurdles for implementing a DevSecOps approach to application security is company-wide adoption.

During a recent webinar, Simon Maple, VP of Developer Relations & Community at Snyk spoke with Christian Bobadilla, Director of Product and Application Security at Shutterstock about building a DevSecOps culture. Here’s a quick recap of the conversation.

The changing application development landscape

Cloud native computing has dramatically changed the way companies build software, and in turn, the speed at which applications are built and deployed. Before cloud native application development, most development teams focused solely on the custom code they wrote and the open source libraries they were using. Developing modern software, however, puts more responsibility on developers than ever before.

“Developers used to focus on the code in their IDEs and the dependencies that their build systems pulled in,” Maple explained. “Everything else that was part of the platform—whether there was any virtualization, hardware, networks, servers, VMs—all of that would typically be handled by an IT or operations team. This is changing with cloud native applications.”

As organizations undergo digital transformation and modernize their applications, developers are adopting microservices architectures, containerization, Infrastructure as Code (IaC), and more. That means development teams have a critical role in the deployment of applications as well, which is driving the need for developer-centric security throughout the entire development pipeline.

Introducing a security program

Since Shutterstock didn’t have a security team in the past, there wasn’t much of a security culture or mindset at the company. Introducing new security tooling in this environment would be challenging because developers would resist taking on additional responsibilities without support from security professionals. That’s why Shutterstock chose to build out a team and program to encourage developers to take ownership over application security.

“It’s always hard at the beginning because developers think security is just going to block them,” Bobadilla said. “But I prefer to think of security as an enabler to help developers build better and more secure applications. I think reinforcing why we need application security is important for getting development teams on board with new security processes.”

Breaking down the developer to security barrier is difficult, but getting developers interested in AppSec is an essential initial step. That’s why Shutterstock created events and games to make security more fun. When security was first being introduced, these events got more people within the organization thinking about security and helped the security team build rapport with developers.

Choosing developer-friendly tooling

Scaling security is another major AppSec obstacle because many organizations have small security teams. For example, Shutterstock has a team of 13 security professionals, with just two focused on AppSec, but more than 400 developers distributed across numerous teams and projects. That’s why choosing the right developer-friendly tooling to implement new security processes is crucial for reducing friction.

The best tools for adoption are those that fit seamlessly into existing developer workflows and are easy to use. While Shutterstock was already using Snyk for security scanning prior to forming a dedicated AppSec team, developers were choosing to ignore hundreds of vulnerabilities. Shutterstock discovered that enabling developers without support and governance hindered application security in the long run.

“We can’t just give developers a list of vulnerabilities,” Maple said. “We need to empower developers to not just find issues, but have the insights, knowledge, and tooling to fix them. The security team also needs to provide guardrails and policies to support developers along the way.”

Scaling AppSec with small security teams

Detecting vulnerabilities isn’t enough to improve the security posture of most organizations. Small AppSec teams likely won’t have the resources necessary to fix every issue, so they’ll need additional involvement from development teams early in the software development lifecycle (SDLC) to maximize efficiency. That’s why security tooling needs to provide actionable feedback to help developers with remediation as well.

“With DevOps, we can now push things much faster into production,” explained Maple. “We need to make sure security is a part of that, and that we’re testing as early as possible all the way through to deployment. That’s why shifting left is a big part of DevSecOps.”

As you can see, adopting a DevSecOps approach to software development requires the right culture, tools, and processes. By choosing Snyk, Shutterstock had a developer-friendly tool that integrated closely with its development workflow, but the company still had a lack of education and awareness for security. Once Shutterstock’s security team introduced events to foster interest in security and implemented governance around security processes, the company was able to dramatically improve its AppSec posture. Implementing new security tools and processes is the easy part, but building a DevSecOps mindset can make all the difference.

Want to learn more about Shutterstock’s DevSecOps transformation? Watch the full How Shutterstock Implemented DevSecOps from the Ground Up webinar on-demand.