Application security

The Power of Developer-First Security

Developers want to write good code. Secure code.

Tools that optimize developer workflows for handling security issues can take a large burden off security practitioners and make triaging, understanding, prioritizing, and resolving vulnerabilities much easier and faster for the developer. That’s what DevSecOps is all about.

One company that has developed such tools is GitLab. According to a recent survey the company conducted among 4,300 security professionals and developers, the importance of DevSecOps is catching on. More teams are doing DevSecOps than ever before – and doing it well. Among the findings:

  • 72% of respondents rated their organizations’ security efforts as “strong” or “good,” a significant increase from 59% the year before.
  • More than 70% said their teams have shifted left and moved security earlier into the development lifecycle.

Challenges remain, however. When it comes to finding bugs, 77% of respondents admitted to being “the exterminators” in their organization — not the developers — after code is merged in a test environment.

Security testing remains a sticking point. While security pros agreed that their teams are shifting left, testing still happens too late in the process. To that end:

  • More than 42% of respondents said it’s still a struggle to fix vulnerabilities.
  • While security is finding most of the bugs, almost 37% of them said it was tough to track the status of the bug fixes, and 33% said it was hard to prioritize the remediations.
  • Meanwhile, 32% said just finding someone to fix the problems remained a headache.

In a recent episode of Application Security Weekly, host Mike Shema chatted with GitLab Director of Product Management Hillary Benson about what it means to provide developer-first security and how these views manifest in her company’s product offerings.

They discussed, among other things:

  • Surfacing security issues early in process
  • Educating developers to find bugs in code
  • Automating the process
  • Removing security from the minutia of bug hunting

At one point, Shema asked: “Why, as an AppSec person, should we be putting ourselves out of a job, being replaced with developers? What do you say to security folks worried about job security?”

Benson’s response: “The goal is to free you for more analysis, more strategy, more fun instead of sitting their processing vulnerability boards. Some things you can automate, some things require human hands. Security teams are overwhelmed. There’s plenty to do without having to do this.”

Ultimately, she said, “You still have your hand in it, but more as an orchestra conductor.”

This segment is sponsored by GitLab. Visit to learn more about them, and visit for all the latest episodes!

Register for GitLab’s upcoming webcast on November 4th!

Bill Brenner

InfoSec content strategist, researcher, director, tech writer, blogger and community builder. Senior Vice President of Audience Content Strategy at CyberRisk Alliance.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.