Developer productivity in the remote era [Q&A]
Many more people are now working remotely and developers are no exception. But how does this shift in working patterns affect their productivity?
We spoke to Manish Gupta, CEO and founder of code analysis specialist ShiftLeft to find out more about the challenges of development in a remote world.
BN: What are the greatest inhibitors to developer productivity?
MG: One of the biggest inhibitors to developer productivity is disconnected workflows. It's a much bigger context switch to have to go back and fix code that is weeks or even months old.
A recent survey of more than 165 developers, application security (AppSec) and DevOps professionals found 96 percent of respondents feel their productivity is inhibited by the disconnect between developer and security workflows.
Application security testing tools were traditionally used by AppSec teams as the primary users as one of the final steps in the waterfall model of the software development lifecycle (SDLC.) However, in today's modern SDLC that is highly automated, running an application security scan at the end of the development lifecycle compromises the advantages of the modern SDLC. The disconnect between developer teams trying to quickly bring applications to market and application security teams trying to mitigate vulnerabilities and risk creates significant friction. The research also found that performing security scans too late in the software development lifecycle (90 percent) and lack of remediation guidance (88 percent) are significant inhibitors to developer productivity.
Simply repurposing tools designed for AppSec users is no match for today’s modern SDLC. In order to ensure that security is keeping pace with software today, organizations must create a culture in which each developer is accountable for the security of the code they write.
BN: The disconnect between Development and AppSec teams is only getting worse. What can be done to reduce that friction and quell discord?
MG: AppSec and developer teams ultimately need to put themselves in each other’s shoes. This will help both teams understand daily pressures, as well as the challenges that each face, and how they can work to eliminate those challenges for one another.
AppSec teams need to learn the daily challenges developers face with efficiency and productivity and understand the common obstacles that create bottlenecks, ultimately slowing them down. Developers, on the other hand, must gain an appreciation for finding and fixing vulnerabilities that when exploited can cause irreparable damage to the organization. By engaging developers and creating a culture of accountability to secure the code they write promptly, organizations of all sizes can finally run AppSec initiatives at the pace of software development.
BN: How can organizations ensure the AppSec tools they select not only meet security needs, but also foster developer productivity?
MG: Traditional AppSec tools no longer have a place in today's SDLC. Because much of AppSec work is now done by developers, organizations must seek out modern tools that are purpose-built to integrate seamlessly into developer workflows. Attempting to stretch traditional AppSec tools that were designed over two decades ago for a different purpose and a different user, is highly inefficient and creates friction between the development teams and AppSec.
Companies must understand how tools will be used by development and AppSec teams. Historically, static application security testing (SAST) and software composition analysis (SCA) tools were primarily used by the security team. Today, automated CI/CD pipelines where developers make tens-to-hundreds of changes in a single day, demands that SAST and SCA solutions insert seamlessly in the developer workflow. The modern software development philosophy is one of "small changes" as they create less risk. Each of these "small changes" should be analyzed for security risk placing new requirements on the SAST and SCA tools we need today.
Similarly, tools like dynamic AppSec testing, pen testing, and WebApp firewalls should all be security-centric, as they are used primarily by security teams equipped with deep knowledge and expertise to operate them efficiently.
BN: Should developers be a part of the security tool selection process?
MG: By involving development teams in the process of researching, testing, and selecting security tools, integrating solutions into existing workflows becomes much more seamless, and fosters a culture of accountability.
Scaling security to meet the requirements of the agile SDLC requires increasing both developer engagement and efficiency. By including both security and development teams in the tool selection process, organizations can adopt application security solutions that eliminate friction between teams and foster collaboration, improving security and productivity.
BN: Empowering the virtual workforce is now more important than ever. As organizations continue to move towards and maintain virtual workforces, how can they better support their development teams?
MG: COVID-19 has undoubtedly shifted the entire business landscape. The virtual workforce is here to stay. As a result, every industry is and will continue to accelerate digital transformation initiatives to support today’s new reality.
Companies are relying on their development teams now more than ever to continuously bring business-critical applications to market, at higher velocities. However, with this expectation, business leaders must commensurately deliver a higher level of support to these teams.
Organizations must adopt developer friendly-tools and engage developers in the process of choosing them. As previously mentioned, developers should be able to easily insert security into today’s modern SDLC. This can be achieved through security solutions that are accurate, fast enough to allow scanning of each incremental change, and enable a workflow that allows developers to embrace security without negatively impacting developer productivity.
By ensuring developers get near-instantaneous security feedback about their code, companies can see improvement in mean time to repair (MTTR), increased developer productivity, and an ever-higher number of vulnerabilities fixed before the application is deployed in production.
Organizations that are taking the lead in digital transformation are the ones that have already started to embrace tools that seamlessly empower developers to take responsibility for security. These organizations are delivering fast while staying secure!
Photo Credit: ProStockStudio/Shutterstock