How are CISOs coping with developer gatekeeping? [Q&A]
CISOs are under the microscope to prove they can reduce vulnerabilities in the software development life cycle -- particularly, that they can do so from the start of code creation. As such, CISOs are searching for the most effective way to ensure the security awareness of their developers before they take on the responsibility of writing and introducing code.
Secure Code Warrior's co-founder and CTO, Matias Madou, believes that a 'gatekeeping' standard -- where developers are incrementally given access to more sensitive projects -- is the key to building a strong foundation for secure coding processes.
BN: What would you say are the biggest struggles for CISOs right now when it comes to ensuring security throughout the software development lifecycle?
MM: The most significant struggles for CISOs right now revolve around the need to start strong -- that is, having teams that can catch vulnerabilities in code review and prevent them from being introduced in the first place.
To ensure security throughout the software development lifecycle (SDLC), CISOs need security-aware developers they can trust to make responsible choices that balance productivity gains with security best practices -- ultimately preventing poor coding patterns and their potential exploitation. As such, they should prioritize hiring or training security-skilled, top developers to provide the correct verification and implementation oversight, as opposed to lamenting the long-standing shortage of senior AppSec personnel, who are thin on the ground across the globe.
That said, an additional challenge for CISOs is determining which developers are truly ready for the projects they will be assigned and which developers can be trusted for more sensitive, complex tasks. CISOs need foreknowledge of individual developer and overall team performance, based on measurements of their security skills and responsible usage of vital technology tools (such as AI coding assistants) without overreliance.
BN: What is 'gatekeeping' in software development, and why does Secure Code Warrior believe it to be an effective way to build a strong foundation for secure coding processes?
MM: Gatekeeping in software development involves progressively allowing developers access to prestigious -- or increasingly sensitive -- projects as they prove their security prowess, and show a commitment to applying best practices to new or more challenging contexts.
This is an effective way to build a strong foundation of security processes early in the SDLC, as it encourages developers to master foundational secure coding skills, and incrementally build on those skills before moving on to more complex projects.
Gatekeeping, though typically used as a negative phrase, positively incentivizes developers to upskill, which improves professional development at the individual and team levels. As developers gain more responsibility, they prove their continuous use of secure coding practices, reducing the risk of vulnerabilities in each stage of development. This leads to the advancement of a more security-mature organization.
BN: Does gatekeeping, in your opinion, necessitate the establishment of a benchmark CISOs and organizations can use to ascertain a developer's cybersecurity prowess?
MM: A benchmark for cybersecurity skill sets greatly enhances the process of progressive gatekeeping because it sets a collective standard across the organization, keeping developers and their leaders accountable for the continuous improvement of baseline security knowledge. It also ensures that gatekeeping is fair, based on performance.
Everyone will be on the same page of what is expected. Development teams may all go through the same secure coding program, but have varying results or aptitude in one area over another. A benchmark would thus render any project or codebase restrictions based on the results developers can produce, as opposed to classes they complete -- the latter of which can be done without showing successful application of new knowledge or skills.
BN: Can you describe the key components of successful gatekeeping and how they can be operationalized?
MM: Successful gatekeeping empowers developers toward meaningful, incentivized continuous improvement. To build the ideal development team, organizations must consider focusing the top security-skilled developers on the most critical applications.
This sets the achievement expectation for all remaining developers on your team.
The core components of gatekeeping include:
- Incentivizing developers to upskill to obtain broader access to more classified repositories and integrations.
- Providing training time during the work day for developers to learn and take assessments to prove higher levels of security knowledge. There is a certain level of training needed to understand important repositories, such as those processing PII, or online payment gateways.
- Raising awareness for more lucrative career pathways for those who are security aware.
- For developers with exceptional secure coding skills and a keen interest in security, collaborative threat modeling programs with the AppSec team can be a great way to mend the ‘us and them’ mentality that often exists between the two groups, while also ensuring that those who know the code best can provide valuable, fortifying insights.
This renewed focus on flexibility and control empowers developers to choose their pathways while ensuring teams stay within parameters and deliver expected results. Organizations who realize the true benefit of empowerment via gatekeeping will increase developer productivity and software delivery, building their competitive advantage.
BN: What types of training or tests can be used to measure developer/team progress and prove they are capable of handling more sensitive projects?
MM: To assess the effectiveness of security programs, security teams need to evaluate their success through various measurement topics, including:
- Visibility into its effectiveness. How are the outcomes contributing to bigger organizational goals, and do these goals have executive buy-in?
- Data-driven measurement to understand how organizations compare within their industry. How can teams work toward improvement to outperform their competition?
- Flexibility to adjust goals based on the pace and skill level of the development team. What are the next steps when teams need to re-prioritize coding language development, skills training, etc.?
These standards can help paint a more comprehensive picture of the current state of an organization’s security learning program, and they enable teams to optimize their performance. At the individual level, this helps developers identify what’s going well, what needs improvement and what a learning path forward for continued growth could entail. At the team level, developers gain a solid understanding of how their strengths contribute to the team's overall dynamic. As the level of a developer's responsibility continues to evolve, those who set a measurement for success will stay ahead of the curve, allowing their growth to align with the current developer role.
Knowing the current standing of AI coding tools, they can -- and should -- be assessed on their security impact, and effectiveness in balancing productivity with risk mitigation within the codebase. This can take the form of measuring their output directly, or in tandem with a human developer. Ultimately, any tools in use within the developer workflow should be monitored as part of an organization's overall security program, and in this new hype wave with AI tooling, understand the security limitations intimately and lessen their impact by providing ongoing training and knowledge-sharing to the humans at their helm.
BN: Do you have any guidance for individual developers, as well as developer teams, in organizations where gatekeeping may be implemented?
MM: As developers increasingly need to prove they are security-aware before being given projects with sensitive repositories, a gatekeeping standard -- where developers are incrementally given access to more sensitive projects -- is the key to building a strong foundation for secure coding procedures. My guidance for developers looking toward continuous skills improvement falls into three key areas:
- Constantly Evaluate: Deciphering security best practices and spotting poor coding patterns -- the type that can lead to exploitation -- has emerged as a skill that developers must prioritize. This critical evaluation helps determine if the expectation (the intended goal of the software) matches reality (what developers actually created). Once this has been determined, teams can then adjust and refine their learning programs to match the current reality of required upskilling and verification of those skills.
- Prioritize Investment: A successful security program begins with investment and 'buy-in' at the enterprise level. Therefore, development managers need to focus on visibility, flexibility and data-driven insights to increase the progress of their team. Development teams often go through the same secure code program -- but that can represent a bell curve of experts, mean performers and underperformers, and any program needs to be adaptable enough to engage and show progress at each learner’s current level.
- Set Standards: A set of gatekeeping benchmarks that developers can strive to master will help set them up for success as their role continues to evolve.
Image credit: AndreyPopov/depositphotos.com