AppSec, the developer way: Transforming security from a “dirty word” to a common practice
Security is seen by developers as the domain of the AppSec team, who have the unenviable task of scanning code and reporting to the development team that their code is insecure or indeed, entirely unusable. AppSec teams are often viewed as the sticks in the mud that pick apart good work, halt innovation, and generally create a headache for developers.
In a world where one data breach is all it takes to destroy a business, only the prepared and vigilant ones that embrace security in their operations can prevent disaster. Yet, if you ask most developers about security, they will crease up their faces into an irritated frown.
- A developer happily codes away in the IDE within their own local branch.
- They then commit the code and push it to a new remote branch using a Code Management Tool, such as GitHub.
- Then, they navigate to the repository on the Code Management Tool and create a pull request.
- The reviewer checks the code and leaves comments, as necessary.
- The developer makes the required changes outlined by the reviewer and the pull request is then merged onto the master branch.
- The developer happily continues to his/her next task and then BOOM – the developer receives security bugs from the AppSec team, on the code that was already merged.
- The developer has to drop everything and go back to fixing the code they thought they were already done with.
From this, it’s easy to see why security is still a “dirty word” among developers. But it really doesn’t have to be that way!
To put this into a real-world example, imagine the following:
Well, guess what? You don’t need to imagine anymore!
Imagine a world… where security was truly embedded into developer processes and environments. Imagine that upon the pull request, the developer not only received comments on their code that are related to functionality, but also to security. Just like that, the developer would be able to have their code reviewed once for all bugs, and would be able to close the full feedback loop, all whilst the code is still fresh in their minds, and before it is merged into anywhere that really matters.
Modern application security testing (AST) solutions that are specifically built for DevOps environments are revolutionizing the way security fits in. With security being embedded into the software development lifecycle in a way that doesn’t disrupt developer’s work, doesn’t add any additional code reviews, and doesn’t use any new tools – developers’ perception of security is being changed.