Nick Liffen, Director, Advanced Security, GitHub

Here are five tips to enhance DevSecOps, focused on making security tools more usable — to unlock faster releases of more-secure products.

    1. Integrate security into existing workflows

    Since many security tools are designed with security professionals in mind, adding them to already-existing development workflows can create friction. When looking to integrate a new tool into the software development lifecycle, consider extracting the desired data from the security tool and natively integrating it into the developer’s workflow. Or even better: look to a tool that is already embedded within the flow. This reduces context switching and helps developers detect and remediate vulnerabilities earlier. Additionally, leveraging AI tools within Integrated Development Environments streamlines the process further, allowing developers to address security alerts without leaving their coding environment.

    2. Prioritize relevant alerts

    Bringing security into the development process also means remediating alerts, but simply asking developers to remediate all security alerts is unrealistic. A barrage of alerts, especially false positives, can chip away at a developer’s trust in the tool and compromise productivity. A well-integrated security tool should have an alert system that surfaces high-priority alerts directly to developers. For example, alert settings based on custom and automated triage rules, filterable code scanning alerts, and the ability to dismiss alerts will contribute to a more effective alert system. This ensures developers can swiftly address urgent security concerns without being overwhelmed by unnecessary noise and helps to ultimately clean up an organization’s security debt, which if left to accumulate, can become harder and more costly to fix.

    3. Implement AI and automation

    It has become more difficult for developers to stay ahead of vulnerabilities due to noisy alerts, growing system complexity, scarce resources, and rapid threat evolution. AI and automation can be implemented to assist developers by lowering false positives, facilitating dependable security checks, and scaling security procedures. AI-generated code-fixes and vulnerability alerts streamline remediation into the developer workflow. Additionally, AI can enhance the modeling of open source frameworks, making vulnerability detection more accurate. Automation capabilities, including branch protection rules and status checks, further empower developers to proactively address security issues.

    4. Involve developers in security decisions

    Organizations should involve developers in the creation of security processes and policy decisions. This will help to ensure a smooth collaboration between engineering and security teams. Before implementing new tools or changing policies, seek feedback from a developer champion. Asking questions about the current effectiveness of security practices, the impact of tools on workflow, and recommendations for tools or practices can help identify areas for improvement. This collaborative approach creates a more developer-friendly security environment.

    5. Set clear expectations around secure coding (42%)

    DevSecOps is not about introducing new tooling, but rather, establishing clear expectations and processes for effectively using existing tools. Clear communication about policies and secure coding practices ensures that security is applied consistently throughout the software development lifecycle. Organizations should establish secure coding standards, then appoint champions to communicate policies effectively across teams. This approach removes ambiguity, raises security awareness among developers, and promotes a DevSecOps culture throughout the organization.