The Synopsys Software Integrity Group is now Black Duck®. Learn More

close search bar

Sorry, not available in this language yet

close language selection

Developer-first security to prevent downstream risks

Steven Zimmerman

Aug 08, 2023 / 3 min read

Securing software is paramount to realizing organizations’ need to safeguard sensitive data, ensure uptime of business-critical applications, and protect customers’ best interests. Traditionally, this responsibility has fallen to security and AppSec teams, which own the tools and processes that detect and mitigate security issues in the software pipeline. But with the shift to DevOps well underway, security teams are advocating for DevSecOps to ensure the deep and consistent integration of security standards across DevOps workflows and CI/CD pipelines.

The DevSecOps approach can take the pressure off triage and take security pressures off developers, and it is essential to establishing security gates in support of risk tolerance thresholds. But security teams continue to bear the responsibility of defining security testing policies, reviewing and prioritizing issues for remediation, and initiating remediation workflows. In response to this growing burden, organizations adopting DevSecOps practices have begun placing additional security responsibilities on development and engineering teams.

The goal: To reduce the backlog of vulnerabilities and insecure code in the pipeline so security teams can focus on identifying truly critical issues.

In order to achieve this goal, organizations are prescribing developer security training and fostering a culture of security among those directly responsible for writing secure code and fixing vulnerabilities.


The role of developer security training in DevSecOps

The easiest vulnerability to fix is the one that is never introduced into a software project at all. While this may seem hyperbolic, it illustrates a growing trend of emphasizing secure coding education as part of an organization’s shift-left security evolution. As enterprises increase their reliance on software to carry out day-to-day operations, the need for capable, efficient developers increases as well.

And there is no shortage of new software engineers and developers trained in universities and coding bootcamps. The workforce is rife with professionals who can put hands to keys and generate functional applications. But most of these developers have not been trained in secure coding practices nor taught how to work with AppSec teams in a way that aligns to business needs.

Developer security training can provide the relevant education to development and engineering teams, and ensure that security practices don’t derail DevOps workflows. Moreover, organizations can align curricula to specific technologies, projects, compliance standards, and other business needs. This means a developer’s subjective assessment of secure coding practices is directly related to the organization’s risk tolerance.

This secure coding education is most effective when delivered through modules and media that accommodate a spectrum of learning habits, coupled with labs and challenges that let developers put learning into practice before implementing new skills in business-critical applications. As developers advance their secure coding capabilities, organizations will see fewer coding weaknesses and faster time to remediation for the issues detected during standard testing cycles.

Correlating application security testing with secure coding education

Organizations see even more benefits from combining developer security training with application security testing in an efficient, closed-loop cycle. Application security testing provides security risk awareness, and developer security training enables security capability across pipelines. Integrating developer security training into DevSecOps workflows often fosters two types of security capabilities among developers: defensive and offensive.

Defensive developer security training

Application security testing detects security risks within development projects, software passing through the pipeline on its way into production, and third-party assets ingested via the software supply chain. When testing tools (e.g., SASTSCAIASTDAST) identify security issues, automated workflows assign remediation tasks to development teams. Developers can then review the assigned remediation task and review recommended security training to inform their code changes to address the issue.

This kind of defensive security accelerates time to remediation, reduces the research burden placed on developers, and eliminates the subjectivity of risk assessment between security and development teams.

Offensive developer security training

Development teams’ primary focus is on shipping functional software quickly. If that software contains vulnerabilities and insecure code, there can be delays to fix issues and refactor code, potentially derailing development on other versions, branches, or projects. Conversely, security teams have to review issues found by testing and prioritize the most-pressing ones for remediation, which takes time and resources.

Offensive security training helps developers avoid introducing issues during development. By learning secure coding techniques, developers can reduce the number of vulnerabilities and weaknesses within application code from the start, so there are fewer detected by application security testing at later stages in the SDLC or CI/CD pipelines.

Black Duck and Secure Code Warrior partner for developer-first security

As leaders in application security testing (AST) and developer security training, respectively, Black Duck and Secure Code Warrior are partnering to provide the most effective joint solution for developer-first security for DevSecOps. Together, Black Duck and Secure Code Warrior provide an integrated solution that establishes a closed-loop strategy to prevent security issues at the developer desktop and accelerate time to remediation for issues detected during security testing at stages across the SDLC and CI/CD pipelines.

Black Duck AST tools prioritize detected security risks for remediation and presents developers with the most appropriate and impactful resources to address the issue. With direct integrations into Seeker® IASTCoverity® SAST, and Software Risk Manager, Black Duck’s developer security training, powered by Secure Code Warrior's industry leading agile learning platform, gives developers the ability to learn how they want, with the most complete and reliable application security content in the industry, today. Together, with Black Duck and Secure Code Warrior, organizations can be assured that developers are security-capable in ways that matter most to the business.

Continue Reading

Explore Topics