Developers want to write good code. Secure code.
Tools that optimize developer workflows for handling security issues can take a large burden off security practitioners and make triaging, understanding, prioritizing, and resolving vulnerabilities much easier and faster for the developer. That’s what DevSecOps is all about.
One company that has developed such tools is GitLab. According to a recent survey the company conducted among 4,300 security professionals and developers, the importance of DevSecOps is catching on. More teams are doing DevSecOps than ever before – and doing it well. Among the findings:
- 72% of respondents rated their organizations’ security efforts as “strong” or “good,” a significant increase from 59% the year before.
- More than 70% said their teams have shifted left and moved security earlier into the development lifecycle.
Challenges remain, however. When it comes to finding bugs, 77% of respondents admitted to being “the exterminators” in their organization — not the developers — after code is merged in a test environment.
Security testing remains a sticking point. While security pros agreed that their teams are shifting left, testing still happens too late in the process. To that end:
- More than 42% of respondents said it’s still a struggle to fix vulnerabilities.
- While security is finding most of the bugs, almost 37% of them said it was tough to track the status of the bug fixes, and 33% said it was hard to prioritize the remediations.
- Meanwhile, 32% said just finding someone to fix the problems remained a headache.
In a recent episode of Application Security Weekly, host Mike Shema chatted with GitLab Director of Product Management Hillary Benson about what it means to provide developer-first security and how these views manifest in her company’s product offerings.
They discussed, among other things:
- Surfacing security issues early in process
- Educating developers to find bugs in code
- Automating the process
- Removing security from the minutia of bug hunting
At one point, Shema asked: “Why, as an AppSec person, should we be putting ourselves out of a job, being replaced with developers? What do you say to security folks worried about job security?”
Benson’s response: “The goal is to free you for more analysis, more strategy, more fun instead of sitting their processing vulnerability boards. Some things you can automate, some things require human hands. Security teams are overwhelmed. There’s plenty to do without having to do this.”
Ultimately, she said, “You still have your hand in it, but more as an orchestra conductor.”