DevSecCon panel discussion: Which comes first, security or the app?

In application development, security plays an increasingly more prevalent role in protecting infrastructure and data, and ensuring a high level of user trust. Recently, Snykers Vandana Verma Sehgal  and DeveloperSteve hosted a panel discussion with seasoned industry experts who shared their insights about exactly when security should be brought into app development.

"If you look at how the industry has adopted the shift-left security mindset into the software development life cycle, you see security moving to the forefront. This is also true in the initial creation of new applications, where we see security being brought into the ideation process to identify ways to create safer applications."

"As developers, we build applications with end users in mind. Ensuring the security of their experience and protecting data is important. Our end users put their trust in us to build apps for them, and protecting them is critical in maintaining that trust."

The panel discussion

On the panel we were joined by Lidia Giuliano (Security Architect and Blackhat Asia member), Michael Cheng (Lead Software Engineer at GovTech Singapore), Sandeep Singh (Security Consultant at NotSoSecure and OWASP Delhi Chapter Lead), and Pas Apicella (Principal Solutions Engineer at Snyk).

Kicking things off, we started with the question: “Should application development start with defining security guidelines?”

Lidia: I always give the analogy of application development being like building a house. Things need to be approved before you start building, and then there are compliance checks along the way to make sure everything is going according to plan.

Michael: Building a lot of apps for the government, we have rules and guidelines in place to make sure our tools and environments adhere to the standards in place. From the development side of things, this sets the expectations on not only what can be used but also how.

The key element amongst the panelists around the topic of tooling seemed to be having security teams work closely with development. This means that requirements for dev tooling and environments can be met, but at the same time, a predefined level of security must be in place. Digging into this idea further, we asked Sandeep: “What are some of the security elements to think about when you start scoping an app?”

Sandeep: It's important to always keep the basic security principles in mind – no matter how basic. Sanitizing user input and data, securing authentication and privileges in infrastructure and application platforms. It comes back to some basic questions during the SDLC, like: Who will be using my app? What kind of data is being generated, and where is it stored? What happens if that data is compromised?

This then led into the fundamental purpose of the panel: understanding how soon is too soon to bring security into the app development process. In particular, we asked: "What was the earliest stage that you've seen security brought in to the process?"

Pas: Some of the customers I've been working with at Snyk initially look to use devops pipelines as the way to automate security as part of their CI/CD. Instead, I ask the question around what kind of developer security tools are available to development teams for scanning and understanding vulnerabilities earlier on in the development process.

Sandeep raised the point that pairing security people with developers helps bring awareness amongst both teams. Lidia added that it's important to have a team culture approach, and to build security awareness champions within development teams to help drive it.

Lidia: When I was a developer, we were restricted from using particular language syntax because of the security implications — even though we understood that it made application development harder because it limited the ways we could debug code even in development environments.

Overall, the main panel consensus seemed to be that it's never too early to bring security into the application development process. Overall, incorporating security into the workflow at the beginning brings it closer to development teams, creating a more holistic approach to security across the entire process. Even at the ideation stage, it enables teams to adopt a more security-focused mindset.

Watch the full recording of the panel:

Get started with Snyk in your SDLC

Integrate Snyk as part of your SDLC and help identify potential issues by scanning code, open source packages, container images and IaC.