2021 is now firmly in our rearview mirrors. But as we approach the halfway mark of 2022, the lessons of last year still resonate – especially when it comes to application security. Like years past, the mega-breaches and high-profile ransomware attacks were nothing new. What felt different were the responses, both by governments and private industry. It’s possible that we will come to look at 2021 as a crucial turning point for security – the year we called for action in moving our collective security practices forward. If 2021 called for action, will 2022 be the year that answers those calls?
Much digital ink has been spilled about the need to “shift security left,” which in most cases means putting tools typically used by security professionals in the hands of software developers. The thinking is that, as a result of scanning applications for weaknesses earlier in the development process, development teams will be able to identify and fix software vulnerabilities before ever reaching production. Ideally, this will then relieve overburdened security teams from having to reactively deal with these vulnerabilities right before–or even after–release, freeing them up for more strategic, proactive security work.
While this is sound in theory, what often happens in practice is that development teams run the prescribed security tools but do not have the knowledge or support to fix everything themselves so the vulnerabilities ultimately continue to make their way downstream to security teams. Scanning and passing vulnerabilities downstream to overworked appsec teams isn’t really living up to the promise of shift left. It just shifts the problem left.
The Security Skills Gap
GitLab’s 2021 DevSecOps Survey found that over a third of the developers surveyed felt “fully responsible for security in their organizations (up from 28% last year), while 32% said they shared the burden with other teams.” The expectations placed on development teams when it comes to security are only increasing. But presenting security scan results without any guidance on how to fix the identified problems or explaining the potential impact is frustrating for developers, who may choose to ignore the results in favor of delivering faster code, shifting the burden back to AppSec teams. This increases intra-team friction and release cycle time.
In order for developers to deliver on the promise of shift left, they need real-time security education that allows them to identify and fix security vulnerabilities as they arise, proactively stop security issues from occurring, and communicate and assign security responsibilities within their teams. Organizations continue to hand enterprise developers additional security responsibilities without providing any support or education on how to respond to security alerts.
The reality is that most developers aren’t security experts. Even seasoned software engineers don’t have time to learn everything in the vast security universe. What they need is relevant information presented to them where and when they need to understand a specific security issue. That’s why it’s critical that software development platforms meet engineers where they are and provide continuously updated, real-time, context-specific security training options. Integrated security training is the best way to ensure that developers are informed in real-time, without offloading the security work to already overloaded security teams.
However, these skills are rarely addressed in academic courses or coding bootcamps. Although most organizations require software developers to undergo annual security training, these workshops usually involve a slideshow presentation or generic video on software vulnerabilities and issues. This style of training rarely leads to any meaningful understanding of the content within. Also, the time gap between learning and application of knowledge reduces the potential for lasting engagement and retention.
Empowered Developers Drive Security
Unlike older generations of software developers, who learned primarily from books and academic courses, younger generations of developers are learning using online resources like blogs, videos, and bootcamps. In fact, a study from Stack Overflow found that nearly 60 percent of developers surveyed learned how to code from online resources. The platforms we use to develop software must evolve to meet this new style of learning.
Developers are under enough pressure to deliver code efficiently. Rather than bog them down with long, unwieldy trainings, they should receive small, bite-sized coding challenges that provide targeted, context-appropriate lessons for hands-on skills building. This helps lessen the time gap between learning the new skill and putting it into practice, allowing developers to grow their muscle memory so that they’re able to identify security issues as they code, further reducing the number of common vulnerabilities that arise at the start of software creation.
As more organizations adopt a workflow path that empowers developers to resolve vulnerabilities faster and earlier in the process, over time, they will be able to deliver secure code at speed while improving their release quality. Secure coding training within the DevOps workflow automates and scales remediation support for developers and allows application security teams to focus on proactively mitigating any security risks and strengthening the organization’s security posture. That is the true potential of shifting security left.