Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Moving Beyond “Moving Left”: The Case for Developer Enablement

For far too long software security has been comprised of a curious bifurcation of roles. Developers develop and IT security testers test for security issues. Fortunately, a confluence of circumstances has forced a recalibration of the developer’s role in software security. In fact, I think we are about to see a new wave of what I call developer enablement.

For far too long software security has been comprised of a curious bifurcation of roles. Developers develop and IT security testers test for security issues. Fortunately, a confluence of circumstances has forced a recalibration of the developer’s role in software security. In fact, I think we are about to see a new wave of what I call developer enablement.

You have likely heard the rumblings of this evolution expressed as “moving left.” The phrase sprung from the visualization of software development as a left to right progression of tasks, beginning with design and architecture and moving right to deployment.

Looking beyond the “move left” mentality

Unfortunately, moving left falls short of capturing the idea accurately or with any real level of inspiration. With the growing adoption of Agile and CI/CD, the world of development is no longer a straight line, but rather a continuous cycle—one in which there is no “left.”

This outdated metaphor has also proven to be an empty assertion. Vendors claiming to move left do not actually move the actual test nor the process of remediating the test results any deeper into the developer’s world. Instead, they just move the button to launch a test closer to the developer. Therefore, it resolves nothing and does nothing to enable the developer.

While I find “moving left” to be an annoying term, the concept grew out of the belief that identifying vulnerabilities late in the development process—often post build—makes the job of finding and remediating vulnerabilities harder and more time consuming. Asking a developer to go back to a previous build to remediate vulnerabilities is painful. It also affects the development cycle of the current build. As much as we have evolved, developers are still incented to deliver their code on time over and above producing secure code.

Introducing the case for developer enablement

Developer enablement is about giving developers the knowledge and tools to discover vulnerabilities as early in the development process as is practicable. This enables them to reduce remediation time while increasing productivity. Makes sense, right?

The implication for this statement is that a working relationship exists between development and IT security. While this has not always been the case, I get the impression from industry analysts and actual practitioners that this evolution is indeed happening and the pace is accelerating. Organizations are creating software security groups that own the problem. These groups are actively engaging and, in some cases, enabling development.

What does developer enablement look like?

It starts with education. The obvious nirvana state is to teach developers how not to code in vulnerabilities at all. You can employ the standard methods of instructor-led and eLearning. The problem is that developers are notoriously hard to pin down for training. Additionally, the growing millennial workforce resists traditional education methods. Some of the challenges are addressable by breaking courses into “snackable” segments and by giving developers real incentives to take security-related courses.

Advertisement. Scroll to continue reading.

The best way to educate developers, however, is to teach them practical lessons in real time while they are developing. This is a more evolved form of training. It requires tools that can live in the development environment and spot vulnerabilities in the code while developers are coding or before the build stage. This doubles the level of enablement by identifying actual problems as early as possible and by using the detection as a teachable moment. The developer is alerted to the problem, provided a description of the vulnerability and how it can be exploited, and provided guidance to remediate the problem on the spot.

Boom! That is developer enablement. To summarize in three points:

1. The lessons take place in real time in a practical setting, facilitating the learning process. The hope is that after repeated exposure to the process the developer stops committing the errors that create the vulnerability.

2. The developer is empowered to remediate the vulnerability on the spot. This eliminates the need for the highly intrusive pattern of returning to previous builds to fix test findings. Developer enablement has a direct impact by increasing productivity and lowering remediation costs.

3. The tool collects data on developer behavior, providing insights into repeated issues for one developer or the group. Such patterns indicate the need for education, enabling effective targeting for training that maximizes impact and minimizes interruption.

Does that mean the days of IT security testing are coming to an end?

No. There will still be a need to test software more broadly for a variety of reasons. However, if developer enablement is done well, the results should yield far fewer vulnerabilities and reduce remediation time and expense.

As we continue to find inventive ways to increase developer productivity, it makes sense that we should include software security in the process. Enabling developers through the right mix of tools and education just makes too much sense and generates too much value for all concerned.

Written By

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Vulnerabilities

Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

Vulnerabilities

The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.