experts. While it’sntial to know the basics, such as how to write , there also becomes a dependence on tools, such as static application security testing (SAST) and static code analysis (SAS), to make that added responsibility easier. As developers become responsible for more and more elements beyond coding, having tools take some of their burdens will become necessary.
Scott Johnson, senior director of product management at , explained in a recent episode of the podcast that, increasingly, the security elements of a company are becoming more developer-centric and falling more on developers. For a company to succeed, it must ensure its teams enable developers to write secure code.
Johnson shared a story of meeting with a bank, and the person he was speaking with said their had been feeling worn out. He asked how many security they had and how many developers. The response was ten security .
“So “en are trying to keep up with 3000. And that ddoes doesn’t Right. So the evolution has been with everything we discussed; you must enable the developers. The members are still key but they’reof the application security Guardians. And more and more, the developers are the ones doing it. TheyThey’re the ones getting validation, running the scans, using Jenkins from a build server integration perspective, and trying to crank out their code and doing it as fast as they can and as secure as they can.”
On” thing to watch out for is making sure you’re adding unnecessary friction between the security teams.
Friction can occur when the security team starts layering .
“It'”It’s friction that could might do workarounds, you know, ‘hey’ I’m I’m going to use that IDE because that that’s that that’s enabling me to release the software that I want to create.'”
S'”n inningsolutions can help reduce that friction, but only if they are carefully selected and meet all the development . According to Johnson, there are several features that companies should be looking for when trying to find a new scanning solution.
First of all, it should cover the languages and frameworks that are being used to develop applications. Other areas to consider are its automation and integration capabilities, tooling, whether or not it has open APIs, and how much detail it provides on dependencies.
“Tho”e are all key areas that you have to take into consideration. Because if you don’don’tu end up in situations where that friction into play. And what did developers not like? They don’don’te friction. They don’don’te things that slow them down,” sa”d Johnson.