In a recent interview, Scott Gerlach, the CSO and co-founder of StackHawk, shared his insights on how organizations can successfully shift their security left without causing delays in their developers’ productivity. He emphasized that achieving this requires a combination of people, processes, and technology, with tooling alone being insufficient. Gerlach offered six recommended steps that organizations can take to embark on this journey and effectively shift security left while maintaining developer velocity.
The first step Gerlach suggests is to involve the development team early in the application security (AppSec) design process. By partnering with developers in decision-making, organizations can evaluate and onboard appropriate tooling, establish fix cycles, determine how findings will be assigned and tracked, and obtain buy-in from development leadership. This collaborative approach ensures that the AppSec process is designed in a way that minimizes interruptions for developers, allowing software to be delivered promptly.
The second step is to involve the security team early in the development process. Developers should communicate the goals, business significance, data handling requirements, and intended functionality of their applications to the security team at the start of the design phase. This enables the security team to assess risk tolerance accurately and provide guidance on implementing necessary security measures, such as authentication and encryption, before the coding begins.
The third step focuses on empowering developers to help themselves. Gerlach recommends adopting tooling that facilitates developers’ understanding of identified issues, their importance, and how to reproduce them for effective resolution. Additionally, developers should be encouraged to document security decisions by triaging findings. This learning-oriented approach acknowledges that achieving perfection every time is not realistic, and organizations should aim to grow and improve together.
To further enhance developer capabilities, Gerlach suggests providing targeted security training. Leveraging the documented decisions made by developers, organizations can identify patterns within the context of their code and prioritize relevant training. This personalized approach allows for a more focused and impactful learning experience, such as addressing recurring cross-site scripting (XSS) errors in specific code segments.
Automation plays a vital role in the fourth step, which is automating security testing in continuous integration and continuous deployment (CI/CD) pipelines. By integrating security testing alongside other automated software tests, organizations can ensure that security becomes an integral part of the development process. Gerlach advises starting with automating tests for common web application threats like injection attacks, sensitive data exposure, and XSS vulnerabilities.
The final step emphasizes the importance of collaboration among development, security, and operations teams. Instead of merely passing vulnerability reports between teams, organizations should establish a foundation for effective teamwork. By implementing the previous steps, teams can work together to identify potential security risks and develop strategies to mitigate them. This collaborative approach creates a culture of shared responsibility and empowers all stakeholders to actively contribute to maintaining the organization’s security posture.
Gerlach’s recommendations provide a comprehensive framework for organizations looking to prioritize security without impeding their developers’ productivity. By engaging developers early in the AppSec process, involving the security team from the start, enabling self-help through tooling and documentation, providing targeted training, automating security testing, and fostering collaboration among teams, organizations can successfully shift security left while maintaining the speed and agility necessary for effective software development.