Leveraging Developer Security Skills to Fortify your Security Team

Eran Medan
CTO & Co-Founder
December 14, 2022
Eran has spent the last 20+ years as an accomplished software engineer and technology executive, leading teams at Amazon Web Services and NICE Actimize.


Developers, driven by their commitment to code quality, make exceptional advocates when empowered with the right developer security skills and tools. As primary contributors to a secure development lifecycle (SDLC), they have the opportunity to help solidify your supply chain security, consequently easing the workload on DevOps and Security teams. By integrating developer-oriented security tools within their existing development process, it amplifies early risk identification and streamlines risk mitigation. This approach to developer-driven security effectively curtails the expansion of vulnerability backlogs, further promoting a more secure and efficient coding environment.


Harnessing Developers' Desire for Secure Code

Developers, driven by their commitment to crafting quality code, inherently prioritize code security. Exploring development forums yields countless debates around secure development practices, such as password storage protocols, encryption for new passwords, general secure coding practices, and more. A key observation is clear: developers see code security as a crucial aspect of code quality, underscoring the importance of developer security training.

Developers as Your First Line of Defense in Security

Security begins not at the build process checks in your CI/CD pipeline, but right at the onset of code creation. Any new code experiences its first checks during local testing on a developer's machine, then through peer reviews in pull requests. This stage presents the initial opportunities to identify and mitigate vulnerabilities. Swift and efficient action can be taken here, precluding the need for DevOps or Security intervention.

Prompt Action through Developer-Driven Security Tooling

The remediation of vulnerabilities requires an in-depth understanding of the existing code and the appropriate remediation approach. With delay in risk identification comes an increased complexity in mitigation. In instances where vulnerabilities are backlogged, the developer may have moved on, leaving DevOps and Security teams scrambling for a solution. However, identifying code vulnerabilities early and empowering the developer to rectify them ensures risk accountability and resolution while the code is still fresh. This developer-empowering security approach minimizes risks identified at later stages of the CI/CD pipeline, cuts down vulnerability backlogs, saves time, and increases efficiency.

The Rise of Security Champions as Part of Developer Security Efforts

Synopsys has highlighted the value of designating security champions within development teams. More organizations are recognizing the advantage of decentralizing security efforts and integrating developers into their security hardening processes. Some studies even suggest that developer-integrated security practices are an indicator of mature, successful security organizations. An annual study by the BSIMM team discovered that all the top ten scoring firms had implemented satellite teams to enhance security efforts, a trait missing in the lowest scoring firms. Thus, a comprehensive approach to supply chain security necessitates incorporating developer security champions, promoting developer-driven security, and enabling them to address known risks using security tools that seamlessly integrate into their existing development processes.

Secure Development Lifecycle (SDLC) and Git Security

The developer's role does not end with code development; they also have to ensure Git security as part of a Secure Development Lifecycle (SDLC). Given that developers already understand the nuances of their code, empowering them to secure the code can lead to a faster and more efficient SDLC. By putting developers at the heart of security, companies can benefit from more secure and reliable code, thus creating a robust developer-driven security ecosystem.


More from our blog

What Every Developer Needs to Know About GitHub Branch Protection
What Every Developer Needs to Know About GitHub Branch Protection
June 12, 2024
What Developers Can Learn from Taylor Swift's Re-recording Strategy
What Developers Can Learn from Taylor Swift's Re-recording Strategy
March 25, 2024
How We Converted a GitHub Tool Into a General Purpose Webhook Proxy to Supercharge Our Integration Development
How We Converted a GitHub Tool Into a General Purpose Webhook Proxy to Supercharge Our Integration Development
March 25, 2024