Three expert tips for cultivating secure software development practices
March 1, 20230 mins read
We often hear about the importance of DevSecOps — integrating security into DevOps processes. But as many security professionals know, it’s not nearly as easy as it sounds. Cultivating secure software development practices requires working alongside developers with varying opinions, priorities, and idiosyncrasies. And any process involving humans is complicated.
So, how do today’s security teams overcome these challenges and make secure software development practices a reality? Snyk interviewed some of the world's most innovative security leaders to find out. Let’s dive into their biggest takeaways for cultivating security adoption within development teams.
Start with empathy
Empathy builds a foundation of mutually-beneficial security practices. Nicholas Vinson, DevSecOps Lead at Pearson, explained that if development teams “don’t empathize with the value of security, they don’t really have any impetus to prioritize [it over] their feature work.”
How do you foster this motivation for secure development practices? Tim Crothers, SVP, Chief Security Officer at Mandiant, says, “[Security] has got to be a partnership. A fundamental reason that a lot of our security failures occur is that we try and dictate to, rather than truly partnering with, the groups that we’re trying to help be successful.”
He also emphasized that Mandiant’s key to success was “just understanding our engineering teams’ preferred practices. What are those patterns so that we can partner to put in guardrails, rather than controls. If you really simplify it, the consistent thing is looking for gaps — gaps in our processes, gaps in our [collaboration].”
Security teams must also approach this process with humility, remembering that security isn’t the only task on the development team’s plate. Jason Chan, VP of Security at Netflix, explained that security needs to “realize they have a lot of other responsibilities. They have to build features and products. They have to worry about performance reliability. We want to make participating in security as easy as possible.”
Focus on providing support
As they learn more about how developers approach their day-to-day jobs, security teams also need to provide the right level of support.
Vinson attributes the Pearson team’s success to top-down support, saying, “right from the top, there was understanding [about] the need for security. In terms of implementation, you’re dependent upon the software engineering organization and the leaders there.”
In addition, automation is important for supporting secure software development practices. Yashvier Kosaraju, VP of Security, Compliance & IT at Sendbird, saw the significant effects of automation in his organization. Even after a quiet, unannounced release of their security automation initiatives, Sendbird saw that “around 65% of the PRs that we created so far have been merged and closed, which is a significant number considering we hadn’t sent any communications out to developers regarding this. This tells you that everyone wants to do the right thing, but maybe doesn’t have time to do it. So when you make it as simple as possible, they do the right thing.”
Establish a mindset of shared responsibility
Many of our interviewees’ successes came from a mindset shift. The developers started to see themselves as the game changers for secure software development practices. Our security experts suggested a few ways to do this.
Kyle Randolph, CISO at Verkada, uses recognition to encourage shared responsibility, talking about how they “give out t-shirts that say, ‘Security Hero’ on them. This is more exclusive, so it makes people want to step it up and really go above and beyond to make a security contribution. Maybe you eliminated cross-site scripting… you built it into the framework your team uses. Then that would warrant a ‘Security Hero’ t-shirt. And then you get recognized in front of the whole company.”
Rinki Sethi, VP and CISO at Bill.com, suggests establishing a formal training and accountability structure to hold developers and other security stakeholders responsible, explaining how they “build a scorecard that they are responsible for, that actually shows the things that we’re doing to ensure that we’re securing our product or feature in the right way. There’s a path for engineers to talk with the central security organization as needed, and we’re also providing them with the latest and greatest in training.”
And, of course, we need to circle back to the importance of automation. Ryan Ware, Security Architect and Director of the Intel Products Assurance and Security Tools Team, explains, “Being able to, in an automated way, let a developer know as early as possible about a problem in their code is the thing that you have to do. If you could do it at the code check-in point, so that they understand it then, or even with a tool as they’re writing their code that flags something as a problem in their IDE immediately.”
Is 2023 the year of developer security at your org?
As you compare these organizations’ success stories to your situation, remember that your secure software development practices must tie back to your organization’s existing processes and workflows. Every situation is different, so it’s all about understanding the nuances of your business and making the best plan from there.
If you are prioritizing secure software development practices this year, check out our white paper, “CISOs Guide to Cultivating Developer Security.” You’ll get access to more tips and tricks from Fortune 500 security professionals, as well as practical advice from Snyk’s team of experts.