The Inherent Tension

Speed is of the essence today: developers are under constant pressure to ship features, fix bugs, and iterate rapidly to stay ahead of the competition. The mantra of "move fast and break things" has become a guiding principle for many development teams.

Unfortunately, this method of doing things is inherently at odds with writing secure software. Developers don’t want to become experts at security, and slowing down for anything is a tough proposition. Security isn’t a problem that will just go away, though.

Neglecting code security can have severe consequences. Insecure software can lead to data breaches, compromised user privacy, financial losses, and damage to a company's reputation. Not only that -- regulatory requirements and industry standards, such as GDPR, HIPAA, and PCI-DSS, mandate the implementation of robust security measures under threat of hefty fines.

Finding the right balance between velocity and security is crucial for the long-term success and sustainability of any software development project. In this blog post, we will be looking at this issue through both the perspectives of developers and security. Then, we will show you how the right tools and approach can be the answer to this dilemma, keeping both sides happy.

Developer’s Perspective: The Focus on Velocity

From a developer's perspective, velocity is critical. Minimizing the friction in the development process and eliminating any bottlenecks are top priorities. Developers use strategies like agile methodologies, continuous integration and deployment (CI/CD) pipelines, and automation tools to accelerate the software development lifecycle (SDLC).

Unfortunately, developers often view security as a hindrance to their velocity. There are numerous reasons for this:

  1. Traditional security practices can be seen as roadblocks that delay the release of new features.
  2. Developers may perceive security requirements as a checkbox that needs to be ticked, rather than an integral part of the development process.
  3. Security can feel like a moving target due to the constant evolution of threats.
  4. Developers may feel like they need deep security expertise to identify and mitigate potential vulnerabilities in their code.

As much as developers might wish security could be an afterthought, treating it like that actually adds more work to their plates. Not designing your development process for security leads to technical debt, difficult rework, and potential security incidents. Security threats aren’t just going to go away.

Security Team’s Perspective: The Need for Safety

From the security team’s perspective, safety is critical. They understand that a single vulnerability can be exploited to cause significant damage, leading to data breaches, financial losses, reputational harm, and legal consequences.

However, security teams often face challenges when collaborating with development teams. The things that make collaboration difficult for the security team include:

  1. Security lacks visibility in the development process and might misunderstand the work that goes into remediating a vulnerability.
  2. The complexity of existing development workflows can make it hard to enforce security without disrupting the process.
  3. Security personnel may have communication barriers between themselves and developers, making it hard to find support.

In my opinion, soft skills are an extremely undervalued part of working in application security. Many of the issues that plague security teams come from lack of communication or lack of empathy for the processes and constraints that developers are working with. Security professionals can’t expect vulnerability remediation efforts to go smoothly if developers feel more like adversaries than teammates.

The Solution: Shift Left and Empower Developers

Despite the seemingly unavoidable friction between velocity and security, there is a way to find a balance and have both. This balance is all about “shifting left”, or integrating security into every step of the development lifecycle in a process called DevSecOps. While the old approach to application security was characterized by roadblocks, misunderstandings, and bad expectations, DevSecOps is all about automation, clarity, and enablement.

There’s a lot that could be said about DevSecOps, but in this article we will stick to the basics. In the software development lifecycle, DevSecOps bridges the gap between security and velocity in 3 ways:

  1. Automated security checks on developer workstations and the CI/CD pipeline
  2. Real-time feedback and clear guidance for developers
  3. Seamless integration with existing tools and workflows

Together, these 3 pillars help security teams meet developers where they are at, adding minimal overhead to the development process. DevSecOps is all about enabling developers to own the security for their own digital products with the least amount of expertise possible. With this approach, security teams provide developers with the tools and knowledge they need to succeed.

If you’re interested in learning how to build a holistic DevSecOps architecture at your organization, check out my whitepaper, DevSecOps Blueprint. In this article, we’ll look at a concrete example of DevSecOps and show how you can use tools like GitGuardian that embody the spirit of collaboration.

How GitGuardian Enables Secure Velocity

GitGuardian’s secret detection platform may be focused on security, but it was built with developers in mind. It’s evident in many of the features of the platform that GitGuardian understands the constraints that developers are dealing with and how they want to work. In this section, we will look at a handful of ways that GitGuardian delivers a collaborative and DevSecOps-focused product that allows developers to stay secure without sacrificing velocity. 

Automated Secrets Detection

The most critical part of DevSecOps is shifting processes from manual to automated. GitGuardian’s tooling provides a few different ways to detect leaked secrets without developers needing change any behavior.

Primarily, GitGuardian offers a GitHub App that can detect secrets in your git repository’s history and Pull Requests. The seamless integration with GitHub repos has been a hit with developers for a long time. GitGuardian is the #1 security app on the GitHub marketplace, and the #2 app across all categories!

A screenshot of a computer AI-generated content may be incorrect.

While the GitGuardian app makes it easy to enforce secret detection in your GitHub repos, GitGuardian Shield (ggshield) offers a way to automatically detect secrets even earlier in the development process. With ggshield, you can set up a pre-commit hook that automatically runs every time you use `git commit`, preventing secrets from ever entering your git history!

A screenshot of a computer program AI-generated content may be incorrect.

Real-time Feedback and Remediation

In addition to automated detections at different stages of the git pipeline, GitGuardian also offers ways for developers and security teams to get real-time feedback as development happens.

For developers, GitGuardian’s Visual Studio Code (VSCode) plugin gives instant feedback in the linter as code is being written. In terms of shifting left, it doesn’t get better than that!

Detection and remediation from the VS Code extension

For security teams, it can be difficult to understand the context around a leaked secret and the application that it was leaked in. When a secret leak is detected, GitGuardian immediately prompts developers to provide feedback on the leak, giving security teams the visibility they need to audit the incident and know whether follow-up is needed.

A screenshot of a chat AI-generated content may be incorrect.

Integration with Developer Workflows

GitGuardian offers multiple integration points at various stages of the software development lifecycle. From the beginning to the end of the development cycle, there are multiple places that GitGuardian tools stay in step with developers:

  • The CLI on a developer’s workstation
  • In VSCode as an IDE plugin
  • A pre-commit hook in git 
  • Integrations with many version control, CI systems and collaboration tools
  • Image scanning in container registries
  • Ticketing systems like Jira for tracking remediation

These integrations meet developers where they are at, reducing context switching and enabling instant feedback at different checkpoints within the SDLC.

Reduced False Positives

Another key benefit of GitGuardian is how infrequent false positive detections are. This doesn’t necessarily have to do with DevSecOps, but from an operational perspective it means a lot that your developers can trust the output of a security tool. When a tool is frequently stealing the attention of developers for findings that aren’t actual issues, those developers quickly learn to ignore that tool….

GitGuardian’s machine-learning-based false positive (FP) remover is a proprietary engine that reduces false positives by 3x compared to signature detection alone. This translates to near-100% precision for secret detection. You can read more about the FP remover here and here.

Centralized Reporting

The final piece of GitGuardian’s formula for collaboration between developers and security is centralized reporting. GitGuardian’s tailored views give users just the right amount of context and visibility. Security teams get a clear overview of the whole organization’s secret posture, while developers can see what is relevant to them.

As a shared platform for managing secrets, GitGuardian bridges the communication gap between security and development teams by making responsibility clear and enabling asynchronous communication.

A screenshot of a computer AI-generated content may be incorrect.

Conclusion

Security shouldn’t be an extra step or a box to check. It should be something that is built into the development process that just happens. Balancing security and velocity isn’t easy, though. GitGuardian’s focus on developer empowerment is a great example of how to meet developers where they are at and find a middle ground that works for everyone.

GitGuardian bridges the gap between security and development by providing a collaborative platform for managing secret exposure. If you want to learn more about the DevSecOps principles that GitGuardian embodies, check out my whitepaper and test out GitGuardian for yourself (it’s free for public repos)!