DEV Community

Vickie Li for ShiftLeft

Posted on • Originally published at blog.shiftleft.io on

Getting Devs To Go Along With Your DevSecOps New Year’s Resolution


Photo by Kaleidico on Unsplash

Welcome to 2022! It is once again time to make resolutions for the year ahead. Maybe you are picking something straightforward like exercising more often. Maybe you will finally “Kondo” your home to the point where you try to fold clothes vertically in drawers. Or maybe this is the year you modernize your approach to work so your daily experience actually aligns with the future of your career. Whatever you choose, you will likely need commitment and a schedule of attainable goals in order to change your habits. This is doubly true if you are an AppSec manager looking to finally “shift security left.”

Any resolution involving work is typically more complex because it requires you to understand the motivations of those around you. Even if you already have a handle on the type of goal setting and reward that works best for you, these might not click with your coworkers. If you are a manager, then you have to think about the personalities on your team. As an AppSec professional, you are already between two teams: the security team you report to, and the development team you need to collaborate with. “Shifting left” and “DevSecOps” are already prescriptions for more collaboration across these teams. But, if you are going to be the person driving that collaboration, you need to understand what the benefit is for the developers.

One way to approach this complex change is to focus on a central subject like security debt. One of the benefits of shifting security left, or performing security checks earlier in the development lifecycle, is that you will sit on less security debt. Fewer software vulnerabilities means less risk and more success for the security team. Security debt is like “technical debt,” something developers already know and strongly dislike.

The relationship devs have with technical debt is worth understanding. Technical debt is the result of development decisions that achieve a short-term gain at the cost of slowing work in the future due to suboptimal code. Like security debt, it is painful yet has a tendency to stick around. In a survey performed by Stepsize and reported by ZD net, 51% of developers have considered quitting to get away from their company’s technical debt. It was the fourth highest reason to leave a job behind salary, growth opportunities, and remote work.

As to why tech debt is so painful, 52% of developers think it hurts team morale and 66% believe they could ship twice as fast if they had more effective systems in place to manage tech debt. This should come as no surprise, since everything on the developer side comes down to speed. So, as you are working to make devs aware of and care about security debt, keep in mind that there is this painful analogue, already in their face, that many engineering teams have trouble handling.

So then, how do developers effectively handle technical debt? Martin Fowler, a self-described pundit on software development, suggests that the best approach is to make gradual payments as one would in the case of financial debt. Besides, a habit of continuous tech debt reduction has its own benefits. Gradual improvements make future debt easier to address, and streamline the parts of the application that are changed the most often, which are likely to be the most critical parts of the application. That said, since security fixes are sometimes viewed as a necessary evil by devs, approaching them as tech debt by targeting continuous, gradual fixes could be the trick that accelerates your AppSec program.

The success of any culture change will come down to the people leading it but, there are tools that can help. A product like ShiftLeft CORE makes it significantly more efficient to prioritize security issues by analyzing custom and open source code holistically. By seeing attackability for CVEs and custom code vulnerabilities, it is much easier to convey the importance of fixes to the dev team. Not only does ShiftLeft CORE provide the insight your team needs, it provides it while the code is still fresh in their minds. Because it is easy to set up frequent scans as early as at every pull request, you can share security issues with developers as they arise.

If you are resolving to “shift security left” in 2022, let us help you and your team. Visit https://www.shiftleft.io/register to create a free account and see how ShiftLeft CORE can help your team transition to continuous gradual fixes early in the development cycle.


Discussion (0)