The challenge with security around the development process is that too often it has felt like it was bolted on after the fact, because it was. It’s no wonder that an announcement that a new security tool has been added to the process is likely to elicit a collective eye roll from a development team. To be clear, developers are not against security, but they are skeptical of new processes and tools being added by security teams with no development experience.
When security is primarily addressed in the testing phase of a software development life cycle, unplanned additional work is added to address newly discovered issues and vulnerabilities. In addition to the understandable frustration this causes, added cycles from a “develop, test, fix, develop, test, deploy” process kills productivity. Similarly, a shift-left approach could require developers to change the way they work. This is both a workflow and cultural change that could lead to bottlenecks.
The result is that too often an organization has less than 100% adherence to its own security protocols in the interest of getting products deployed. Unfortunately, what may seem like a shortcut could lead to unexpected attack vectors, resulting in an operational disruption.
Ultimately, the goal of security tools in the development process is to protect the integrity of the product as well as company and customer information. The best security is present throughout the development process, is no friction for developers, and provides immediate signals if potential issues arise. When these three characteristics are present, security becomes a driver of productivity. An omnipresent security approach catches and addresses issues as they surface, before they can proliferate. No more late in the process surprises.
When DevSecOps can observe product development insights and security signals simultaneously, it can see risks before they impact the development pipeline. The DevSecOps function can proactively investigate and address the first signs of trouble. Whether it is the use of poor security practices or a supply chain attack, early identification and response also enables better collaboration throughout the security stack.
The best response to an incident is removing the problem before it becomes an incident.
Codezero is built around the premise of security as a first-class driver of developer velocity. To try it free, create a free account or get in touch.
