DevSecOps, Application security

How to move proactively through the security maturity journey

Share
Today’s columnist, Matias Madou of Secure Code Warror, offers three tips for helping organizations “shift left” and build better security into their applications. (Credit: Stock Photo, Getty Images)

Modern software development requires modern risk mitigation, and future-focused organizations recognize the benefits of “shifting left,” and making security an indispensable part of the software development lifecycle (SDLC) from the start.

Two-thirds of developers expect that the protection of applications will emerge as a “noticeably more important” priority during the next 12 to 18 months – ranking No. 1 over new features/functionality, application performance and code quality – according to recent research we’ve published. It’s good news, especially since 67% of developers believe they ship code with vulnerabilities as they face pressures in the form of tight release deadlines and demanding functionality requirements.

To avoid these situations by progressing toward optimal security maturity, teams proceed in three stages: defining, adopting, and scaling. In the initial defining stage, they acknowledge that software vulnerabilities exist in their code, and that they need to take a proactive approach to these issues instead of always reacting to scanner-identified vulnerabilities later in the cycle: a process often fraught with false positives and negatives that slow production to a crawl.

They also look to segue from a “check-box” compliance mindset to one that embraces a continuous cycle of improvement to stay ahead of evolving threats. As part of the defining stage, they should pursue buy-in from management and top stakeholders, so security gets prioritized during development and the organization allocates enough time and resources to build the basic skills needed.

Then, they advance to the adoption stage – and that’s when they get a little, well, stuck. To the point where scaling is significantly delayed or, worse yet, stalls indefinitely.

Why? Because a commitment to collaboration and planning remains a critical component of a successful adoption. Security teams must focus on strengthening their communications and relationships with developers, so the developers learn how to use the right tools for protection and even maximize their value. However, the teams too often lapse into the check-box mentality during this stage. Or they may attempt to “boil the ocean” in just a few meetings, and participants perceive that everyone and everything involved with these efforts are “getting in the way” of more immediate tasks at hand (like those pressing release deadlines).

At this point, the adoption of a comprehensive shift-left strategy seems too “big” and intimidating to even get started, much less scale. The resulting patchwork process leads to inconsistencies in execution which keep organizations from a unified, model state of security maturity.

So how does a team get “unstuck” at the adoption stage, and move on to scaling? Here are three key steps to follow:

  • Start small with a baseline of skill building. At the beginning of this stage, avoid a “boil the ocean” syndrome. Get a firm sense of the existing security capabilities of development team members, and then work together on a plan to upskill them via ongoing training and hands-on experiences. In addition, establish a baseline of code-defense standards, and the skills needed to implement them. Adopt a tiered-learning approach. Break down larger topics into smaller concepts which team members quickly master through appropriate exercises and instruction. The team can’t proceed toward the path to scaling and security maturity without a training program, as our research found that developers at 92% of organizations require at least some security training – if not “significant” training.
  • Identify frequent vulnerabilities that pose the most risks. Eliminating vulnerabilities reduces expensive rework while lowering risk, so teams must evaluate data to pinpoint what the most common vulnerabilities are. Then, they have to prioritize training for secure coding skills to respond to these issues.
  • Cultivate a culture of continuous learning. This happens when security and development come together, with everyone seeking to learn from mistakes, challenges, successes – and each other. Organizations discover that the positive energy fuels even more positive energy, with better collaboration leading to impactful shared experiences and, ultimately, optimal maturity.

Through the tiered-learning approach it’s possible to take those small concepts and layer in newer, more advanced and even difficult topics. At the same time, the team can identify and appoint the most skilled and eager developers as champions for security maturity so they act as hands-on mentors for their colleagues as well as liaisons between their department and the AppSec team.

Keep in mind that security is a journey. Nobody expects an organization to ascend to a level of ideal maturity overnight. Because it’s always about continuous learning, organizations are constantly finding new ways to reduce risk while boosting capabilities and productivity. Subsequently, the team’s “champions”  serve as a true front line of defense, and they and management leaders are can advocate for security and functionality as equally important core values. At this point, the organization has passed the “adopting” stage – it’s ready to scale.

Matias Madou, co-founder and CTO, Secure Code Warrior

An In-Depth Guide to Application Security

Get essential knowledge and practical strategies to fortify your applications.
Matias Madou

Matias Madou, Ph.D. is a security expert, researcher, and CTO and co-founder of Secure Code Warrior. Matias obtained his Ph.D. in Application Security from Ghent University, focusing on static analysis solutions. He later joined Fortify in the US, where he realized that it was insufficient to solely detect code problems without aiding developers in writing secure code. This inspired him to develop products that assist developers, alleviate the burden of security, and exceed customers’ expectations. Matias has over a decade of hands-on software security experience. From the research to improve existing solutions to scoping and building new solutions. A dozen patents and a bunch of papers are the result of his research that eventually led to a hand full of commercial products, and has presented at conferences including RSA Conference, BlackHat and DefCon.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.