www.helpnetsecurity.com
Open in
urlscan Pro
35.81.17.152
Public Scan
URL:
https://www.helpnetsecurity.com/2023/03/01/developers-extension-security-team/
Submission: On March 02 via api from TR — Scanned from DE
Submission: On March 02 via api from TR — Scanned from DE
Form analysis 2 forms found in the DOM
Name: searchform — GET https://www.helpnetsecurity.com/
<form id="searchform" name="searchform" class="searchform" method="get" action="https://www.helpnetsecurity.com/" role="form">
<div class="input-group">
<input type="search" name="s" id="headerSearchField" class="form-control" placeholder="What are you looking for?" aria-label="Search" value="" tabindex="1">
<span class="input-group-append">
<button class="btn btn-search input-addon-item" type="submit" id="headerSearchSubmit" tabindex="2"><svg class="hic">
<use xlink:href="#hic-search"></use>
</svg></button>
</span>
</div>
</form>POST
<form id="mc4wp-form-1" class="mc4wp-form mc4wp-form-244483 mc4wp-ajax" method="post" data-id="244483" data-name="Footer newsletter form">
<div class="mc4wp-form-fields">
<div class="hns-newsletter">
<div class="hns-newsletter__top">
<div class="container">
<div class="hns-newsletter__wrapper">
<div class="hns-newsletter__title">
<i>
<svg class="hic">
<use xlink:href="#hic-plus"></use>
</svg>
</i>
<span>Cybersecurity news</span>
</div>
</div>
</div>
</div>
<div class="hns-newsletter__bottom">
<div class="container">
<div class="hns-newsletter__wrapper">
<div class="hns-newsletter__body">
<div class="row">
<div class="col">
<div class="form-check form-control-lg">
<input class="form-check-input" type="checkbox" name="_mc4wp_lists[]" value="520ac2f639" id="mcs1">
<label class="form-check-label text-nowrap" for="mcs1">Daily Newsletter</label>
</div>
</div>
<div class="col">
<div class="form-check form-control-lg">
<input class="form-check-input" type="checkbox" name="_mc4wp_lists[]" value="d2d471aafa" id="mcs2">
<label class="form-check-label text-nowrap" for="mcs2">Weekly Newsletter</label>
</div>
</div>
</div>
</div>
<div class="form-check form-control-lg mb-3">
<input class="form-check-input" type="checkbox" name="_mc4wp_lists[]" value="28abe5d9ef" id="mcs3">
<label class="form-check-label" for="mcs3">(IN)SECURE - monthly newsletter with top articles</label>
</div>
<div class="input-group mb-3">
<input type="email" name="email" id="email" class="form-control border-dark" placeholder="Please enter your e-mail address" aria-label="Please enter your e-mail address" aria-describedby="hns-newsletter-submit-btn" required="">
<button class="btn btn-dark rounded-0" type="submit" id="hns-newsletter-submit-btn">Subscribe</button>
</div>
<div class="form-check">
<input class="form-check-input" type="checkbox" name="AGREE_TO_TERMS" value="1" id="mcs4" required="">
<label class="form-check-label" for="mcs4">
<span>I have read and agree to the <a href="https://www.helpnetsecurity.com/newsletter/" target="_blank" rel="noopener" class="d-inline-block">terms & conditions</a>
</span>
</label>
</div>
</div>
</div>
</div>
</div>
</div><label style="display: none !important;">Leave this field empty if you're human: <input type="text" name="_mc4wp_honeypot" value="" tabindex="-1" autocomplete="off"></label><input type="hidden" name="_mc4wp_timestamp"
value="1677723553"><input type="hidden" name="_mc4wp_form_id" value="244483"><input type="hidden" name="_mc4wp_form_element_id" value="mc4wp-form-1">
<div class="mc4wp-response"></div>
</form>Text Content
searchtwitterarrow rightmail strokearrow leftmail solidfacebooklinkedinplusangle upmagazine plus * News * Features * Expert analysis * Videos * Reviews * Events * Whitepapers * Industry news * Product showcase * Newsletters * * * Eran Medan, CTO, Arnica March 1, 2023 Share DEVELOPERS CAN MAKE A GREAT EXTENSION OF YOUR SECURITY TEAM Developers care about the quality and security of their code, and when empowered to help, developers make great security advocates who can help harden your supply chain security while reducing the burden on DevOps and security teams. Introducing security tools that allow developers to own code security within their existing development process can increase early risk identification and simplify the process of mitigating risks, slowing the growth of (or even reducing) vulnerability backlogs. DEVELOPERS WANT TO PRODUCE SECURE CODE Developers take a lot of pride in the quality of their code, which includes how secure it is. If you wade through the arguments over spaces vs. tabs and which language is the superior one, development forums provide endless examples of discussions around code security and efficiency spanning from how to store passwords to seeking out best practices for secure code. These examples include knowledge sharing on existing password storage, encryption methods for new passwords, general secure coding practices, and more. The takeaway? Developers consider code security to be a key component of overall code quality, they just want it to be a part of the development process, and not presented as a pass/fail grade after their efforts. Historically, the developer-security relationship has been defined by the perception that security tooling adds friction and frustration to the developer workflow. Much of this perception can be explained by the timing of the alerts, and “gotcha” feeling of having it presented by a colleague at the end of a development cycle. The reality is that developers are open to security-oriented feedback and even seek it out during development process. What developers want is a timely and judgment-free process of assessing code security that fits into their existing process and provides helpful context on how to resolve the risk. DEVELOPERS ARE YOUR FIRST LINE OF DEFENSE Security does not start with checks in the build process within your CI/CD pipeline. Long before new code is introduced to the production environment, it goes through local testing on a developer’s machine, and passes through peer reviews when the code is added to pull requests. These represent the first and furthest “left” efforts to identify vulnerabilities as well as the first opportunity for risk mitigation. Feedback provided at this stage, directly to the developer in real-time, can be acted on quickly and efficiently without requiring the developer to reacclimate themselves with code they wrote weeks ago or any DevOps or security intervention. DEVELOPERS HAVE THE CONTEXT TO ACT QUICKLY Resolving vulnerabilities takes innate knowledge of the existing code as well as the correct way to patch the vulnerability. The longer it takes to identify a code risk, the more complicated the risk is to mitigate. In instances where vulnerabilities are added to a backlog, original developers may have changed projects or left the organization and new features may be dependent on the vulnerable code by the time a fix is prioritized. In these scenarios, DevOps and security teams are left trying to find one or more new developers to identify and implement the fix, who may have little knowledge of the original code. This process puts strain on each department, slows resolution times, and produces less efficient code fixes – not to mention puts a serious drag on development velocity of new features as the developers are spending cycles reviewing old code instead of writing new code. Locating vulnerabilities in code as early as possible and empowering the developer to correct those vulnerabilities ensures that the right person is always accountable for mitigating the risk, and that the code is still fresh in the developer’s mind. This means fewer risks are identified in the later stages of the CI/CD pipeline, reducing vulnerability backlogs, and giving precious time back to developers and DevOps and Security teams. THE GROWING TREND OF SECURITY CHAMPIONS Organizations are growing wise to the benefits of decentralizing security efforts and incorporating developers in their hardening processes. Some studies have even found evidence that developer-integrated security practices are a sign of maturity seen in successful security organizations. In an annual study, the Building Security in Maturity Model (BSIMM) team found that all 10 of the firms with highest BSIMM scores had implemented satellite teams that augment security efforts, and that these same satellite teams were missing from all 10 of the lowest scoring firms. A complete approach to supply chain security must include developer security champions. Developers should not only be included in the security process, but they should also be empowered to act on known risks with developer-oriented security tools that work within their existing development process. More about * Arnica * CISO * cybersecurity * opinion * software development * strategy * tips Share this FEATURED NEWS * DNS abuse: Advice for incident responders * Developers can make a great extension of your security team * 5 open source Burp Suite penetration testing extensions you should check out Visualize change with an out-of-the-box configuration report SPONSORED CISOS STRUGGLE WITH STRESS AND LIMITED RESOURCES HOW TO SCALE CYBERSECURITY FOR YOUR BUSINESS GUIDE: HOW VIRTUAL CISOS CAN EFFICIENTLY EXTEND THEIR SERVICES INTO COMPLIANCE READINESS DON'T MISS GOOGLE CLOUD PLATFORM ALLOWS DATA EXFILTRATION WITHOUT A (FORENSIC) TRACE DNS ABUSE: ADVICE FOR INCIDENT RESPONDERS DEVELOPERS CAN MAKE A GREAT EXTENSION OF YOUR SECURITY TEAM 5 OPEN SOURCE BURP SUITE PENETRATION TESTING EXTENSIONS YOU SHOULD CHECK OUT A MODERN-DAY LOOK AT APPSEC TESTING TOOLS Cybersecurity news Daily Newsletter Weekly Newsletter (IN)SECURE - monthly newsletter with top articles Subscribe I have read and agree to the terms & conditions Leave this field empty if you're human: © Copyright 1998-2023 by Help Net Security Read our privacy policy | About us | Advertise Follow us ×