DevSecOps, Application security

How to move proactively through the security maturity journey

Today’s columnist, Matias Madou of Secure Code Warror, offers three tips for helping organizations “shift left” and build better security into their applications. (Credit: Stock Photo, Getty Images)

Modern software development requires modern risk mitigation, and future-focused organizations recognize the benefits of “shifting left,” and making security an indispensable part of the software development lifecycle (SDLC) from the start.

Two-thirds of developers expect that the protection of applications will emerge as a “noticeably more important” priority during the next 12 to 18 months – ranking No. 1 over new features/functionality, application performance and code quality – according to recent research we’ve published. It’s good news, especially since 67% of developers believe they ship code with vulnerabilities as they face pressures in the form of tight release deadlines and demanding functionality requirements.

To avoid these situations by progressing toward optimal security maturity, teams proceed in three stages: defining, adopting, and scaling. In the initial defining stage, they acknowledge that software vulnerabilities exist in their code, and that they need to take a proactive approach to these issues instead of always reacting to scanner-identified vulnerabilities later in the cycle: a process often fraught with false positives and negatives that slow production to a crawl.

They also look to segue from a “check-box” compliance mindset to one that embraces a continuous cycle of improvement to stay ahead of evolving threats. As part of the defining stage, they should pursue buy-in from management and top stakeholders, so security gets prioritized during development and the organization allocates enough time and resources to build the basic skills needed.

Then, they advance to the adoption stage – and that’s when they get a little, well, stuck. To the point where scaling is significantly delayed or, worse yet, stalls indefinitely.

Why? Because a commitment to collaboration and planning remains a critical component of a successful adoption. Security teams must focus on strengthening their communications and relationships with developers, so the developers learn how to use the right tools for protection and even maximize their value. However, the teams too often lapse into the check-box mentality during this stage. Or they may attempt to “boil the ocean” in just a few meetings, and participants perceive that everyone and everything involved with these efforts are “getting in the way” of more immediate tasks at hand (like those pressing release deadlines).

At this point, the adoption of a comprehensive shift-left strategy seems too “big” and intimidating to even get started, much less scale. The resulting patchwork process leads to inconsistencies in execution which keep organizations from a unified, model state of security maturity.

So how does a team get “unstuck” at the adoption stage, and move on to scaling? Here are three key steps to follow:

  • Start small with a baseline of skill building. At the beginning of this stage, avoid a “boil the ocean” syndrome. Get a firm sense of the existing security capabilities of development team members, and then work together on a plan to upskill them via ongoing training and hands-on experiences. In addition, establish a baseline of code-defense standards, and the skills needed to implement them. Adopt a tiered-learning approach. Break down larger topics into smaller concepts which team members quickly master through appropriate exercises and instruction. The team can’t proceed toward the path to scaling and security maturity without a training program, as our research found that developers at 92% of organizations require at least some security training – if not “significant” training.
  • Identify frequent vulnerabilities that pose the most risks. Eliminating vulnerabilities reduces expensive rework while lowering risk, so teams must evaluate data to pinpoint what the most common vulnerabilities are. Then, they have to prioritize training for secure coding skills to respond to these issues.
  • Cultivate a culture of continuous learning. This happens when security and development come together, with everyone seeking to learn from mistakes, challenges, successes – and each other. Organizations discover that the positive energy fuels even more positive energy, with better collaboration leading to impactful shared experiences and, ultimately, optimal maturity.

Through the tiered-learning approach it’s possible to take those small concepts and layer in newer, more advanced and even difficult topics. At the same time, the team can identify and appoint the most skilled and eager developers as champions for security maturity so they act as hands-on mentors for their colleagues as well as liaisons between their department and the AppSec team.

Keep in mind that security is a journey. Nobody expects an organization to ascend to a level of ideal maturity overnight. Because it’s always about continuous learning, organizations are constantly finding new ways to reduce risk while boosting capabilities and productivity. Subsequently, the team’s “champions”  serve as a true front line of defense, and they and management leaders are can advocate for security and functionality as equally important core values. At this point, the organization has passed the “adopting” stage – it’s ready to scale.

Matias Madou, co-founder and CTO, Secure Code Warrior

Matias Madou

Matias is the co-founder and CTO of Secure Code Warrior. SCW provides a fully hands-on gamified experience with metrics, leaderboards and badging that enables developers to master secure coding in different development languages and frameworks. Our customers are able track their skills and progress, and benchmark different teams, including assessing potential suppliers and new recruits. SCW is truly the first global platform developers want to learn on and allows you to ensure a minimum baseline of security skills in your organization.

Matias has over a decade of hands-on software security experience. From the research to improve existing solutions to scoping and building new solutions. A dozen patents and a bunch of papers are the result of his research that eventually led to a hand full of commercial products.

Matias holds a Ph.D. in computer engineering from Ghent University, where he studied application security through program obfuscation to hide the inner workings of an application. With his Ph.D. in application security, he joined Fortify as an intern and moved up to being the research architect of all runtime solutions within crossing Fortify and ArcSight within HP. He presented at conferences including RSA Conference, BlackHat and DefCon.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.