Developers are now expected to become security experts. While it’sntial to know the basics, such as how to write secure code, there also becomes a dependence on tools, such as static application security testing (SAST) and static code analysis (SAS), to make that added responsibility easier. As developers become responsible for more and more elements beyond coding, having tools take some of their burdens will become necessary.
Scott Johnson, senior director of product management at Synopsys, explained in a recent episode of the podcast What the Dev that, increasingly, the security elements of a company are becoming more developer-centric and falling more on developers. For a company to succeed, it must ensure its app security teams enable developers to write secure code.
Johnson shared a story of meeting with a bank, and the person he was speaking with said their security team had been feeling worn out. He asked how many security people they had and how many developers. The response was ten security team members and 3000 developers.
“So “en are trying to keep up with 3000. And that ddoes doesn’t Right. So the evolution has been with everything we discussed; you must enable the developers. The app sec team members are still key but they’reof the application security Guardians. And more and more, the developers are the ones doing it. TheyThey’re the ones getting validation, running the scans, using Jenkins from a build server integration perspective, and trying to crank out their code and doing it as fast as they can and as secure as they can.”
On” thing to watch out for is making sure you’re adding unnecessary friction between the development and application security teams.
Friction can occur when the security team starts layering processes and tools that significantly slow development.
“It'”It’s friction that could create the conditions where the developers might do workarounds, you know, ‘hey’ I’m I’m going to use that IDE because that that’s that that’s enabling me to release the software that I want to create.'”
S'”n inningsolutions can help reduce that friction, but only if they are carefully selected and meet all the development teamteam’sds. According to Johnson, there are several features that companies should be looking for when trying to find a new scanning solution.
First of all, it should cover the languages and frameworks that are being used to develop applications. Other areas to consider are its automation and integration capabilities, tooling, whether or not it has open APIs, and how much detail it provides on dependencies.
“Tho”e are all key areas that you have to take into consideration. Because if you don’don’tu end up in situations where that friction comes back into play. And what did developers not like? They don’don’te friction. They don’don’te things that slow them down,” sa”d Johnson.