DevOps.com

  • Latest
    • Articles
    • Features
    • Most Read
    • News
    • News Releases
  • Topics
    • AI
    • Continuous Delivery
    • Continuous Testing
    • Cloud
    • Culture
    • DataOps
    • DevSecOps
    • Enterprise DevOps
    • Leadership Suite
    • DevOps Practice
    • ROELBOB
    • DevOps Toolbox
    • IT as Code
  • Videos/Podcasts
    • Techstrong.tv Podcast
    • Techstrong.tv - Twitch
    • DevOps Unbound
  • Webinars
    • Upcoming
    • Calendar View
    • On-Demand Webinars
  • Library
  • Events
    • Upcoming Events
    • Calendar View
    • On-Demand Events
  • Sponsored Content
  • Related Sites
    • Techstrong Group
    • Cloud Native Now
    • Security Boulevard
    • Techstrong Research
    • DevOps Chat
    • DevOps Dozen
    • DevOps TV
    • Techstrong TV
    • Techstrong.tv Podcast
    • Techstrong.tv - Twitch
  • Media Kit
  • About
  • Sponsor
  • AI
  • Cloud
  • CI/CD
  • Continuous Testing
  • DataOps
  • DevSecOps
  • DevOps Onramp
  • Platform Engineering
  • Sustainability
  • Low-Code/No-Code
  • IT as Code
  • More
    • Application Performance Management/Monitoring
    • Culture
    • Enterprise DevOps
    • ROELBOB
Hot Topics
  • Chronosphere Adds Professional Services to Jumpstart Observability
  • Friend or Foe? ChatGPT's Impact on Open Source Software
  • VMware Streamlines IT Management via Cloud Foundation Update
  • Revolutionizing the Nine Pillars of DevOps With AI-Engineered Tools
  • No, Dev Jobs Aren’t Dead: AI Means ‘Everyone’s a Programmer’? ¦ Interesting Intel VPUs

Home » Blogs » How Developers Can Take a More Proactive Approach to Security

How Developers Can Take a More Proactive Approach to Security

Avatar photoBy: Pete Chestna on January 24, 2018 6 Comments

Developers tend to get thrown under the bus when it comes to application security, but recent data shows that developers do, in fact, care about security. Take mitigation for example. Developers don’t try to rig the system by rejecting findings as false positives or as mitigated by design. Developers documented mitigations for just 14.4 percent of all flaws found by CA Veracode’s platform in the past year.

Recent Posts By Pete Chestna
  • Securing Third-Party and Open Source Code Components: A Primer
  • DevSecOps: How Security Teams Can Better Support Their Developer Counterparts
  • DevOps in the Age of Digital Transformation
Avatar photo More from Pete Chestna
Related Posts
  • How Developers Can Take a More Proactive Approach to Security
  • From a Commodore 64 to DevSecOps
  • Bridging the gap between DevOps and Security
    Related Categories
  • Blogs
  • DevSecOps
    Related Topics
  • devsecops
  • security education
Show more
Show less

Still, IT and development professionals shouldn’t wait for a major breach to occur to uplevel their security skills. Here are a few ways developers can shift their approach from reactive to proactive.

Seek Out Alternative Education Options

The education path for IT and development professionals has some serious holes, especially when it comes to security. A whopping 76 percent of IT leaders report that they weren’t required to take a single security course in college. Many technology professionals are entering the workforce without a cybersecurity education, thus requiring them to learn their most crucial skills on the job rather than in the classroom.

Across industries, online learning has emerged as one of the most valuable resources for working professionals who want to learn new skills. Online education is flexible, personalized and covers a wide array of subjects. The impact is clear: Simply by completing basic online learning courses about common vulnerabilities can help a developer improve their fix rate by an average 19.4 percent.


Related Content:

Cloud Services Demand Security Up the DevOps Stack

CA Technologies Survey Uncovers DevSecOps Challenges


Many times, developers are forced to take education into their own hands. Sixty-eight percent of IT decision makers report that their organizations don’t provide adequate security training, so they must find a way to fight for educational resources. Teaming up with security colleagues to make the case to the C-suite is one way to do this. A two-pronged approach could make a difference when asking for increased training budgets.

Be Aware of Open Source and Component Risk

The industry is facing a dilemma in securing the software supply chain. As development processes become increasingly automated, a lot depends on how well development teams can piece together open source components with their own handwritten code. This practice increases efficiency and lowers technical debt, but opens new doors for hackers.

Open source components usually carry their own set of vulnerabilities and risks. In the past year, the majority (87.6 percent) of Java applications scanned by CA Veracode suffered from at least one component-based vulnerability. Many organizations either aren’t aware of these vulnerabilities or don’t even know what components make up their software products.

Beyond lack of awareness, consistency in patching is also a problem. Once a development team integrates open source components into their code, they rarely update when security patches are released. Attackers frequently jump on newly disclosed vulnerabilities to target victims that fail to update fast enough, so thorough patching is crucial.

Simply put, teams must bring a better discipline to the use of code components. Finding new ways to monitor, track and manage open source components in code is one of the most impactful activities developers can participate in to ensure secure software.

Leverage Security Teams as Consultants

As DevOps practices spread and more organizations require developers to do their own security testing, the role of the security team is evolving. Security professionals are becoming more like consultants that can uplevel developers’ skills with advice on best practices, strategic planning and individual coaching. This is where the idea of DevSecOps comes into play.

To bridge the gap between development and security teams, attitudes need to adjust on both sides. Security teams must begin approaching developers with an attitude of enablement and developers must be willing to team up with colleagues that have a hacker mindset and expertise in understanding threats to the organization.

Developers who see security experts as a resource rather than an opponent can make significant improvements to the security of their software application portfolios. Developers who paired their vulnerability findings with remediation coaching from security experts saw an 87.6 percent better fix rate than those who received no coaching.

When it comes down to it, both security and development teams should try to be more proactive. If both sides commit to breaking down silos and learning from each other, they will find that DevSecOps is the best way to ship software both quickly and securely.

— Pete Chestna

Filed Under: Blogs, DevSecOps Tagged With: devsecops, security education

« A Tragic Circumstance
DevOps Pro Tips on Cloud Management »

Techstrong TV – Live

Click full-screen to enable volume control
Watch latest episodes and shows

Upcoming Webinars

Securing Your Software Supply Chain with JFrog and AWS
Tuesday, June 6, 2023 - 1:00 pm EDT
Maximize IT Operations Observability with IBM i Within Splunk
Wednesday, June 7, 2023 - 1:00 pm EDT
Secure Your Container Workloads in Build-Time with Snyk and AWS
Wednesday, June 7, 2023 - 3:00 pm EDT

GET THE TOP STORIES OF THE WEEK

Sponsored Content

PlatformCon 2023: This Year’s Hottest Platform Engineering Event

May 30, 2023 | Karolina Junčytė

The Google Cloud DevOps Awards: Apply Now!

January 10, 2023 | Brenna Washington

Codenotary Extends Dynamic SBOM Reach to Serverless Computing Platforms

December 9, 2022 | Mike Vizard

Why a Low-Code Platform Should Have Pro-Code Capabilities

March 24, 2021 | Andrew Manby

AWS Well-Architected Framework Elevates Agility

December 17, 2020 | JT Giri

Latest from DevOps.com

Chronosphere Adds Professional Services to Jumpstart Observability
June 2, 2023 | Mike Vizard
Friend or Foe? ChatGPT’s Impact on Open Source Software
June 2, 2023 | Javier Perez
VMware Streamlines IT Management via Cloud Foundation Update
June 2, 2023 | Mike Vizard
Revolutionizing the Nine Pillars of DevOps With AI-Engineered Tools
June 2, 2023 | Marc Hornbeek
No, Dev Jobs Aren’t Dead: AI Means ‘Everyone’s a Programmer’? ¦ Interesting Intel VPUs
June 1, 2023 | Richi Jennings

TSTV Podcast

On-Demand Webinars

DevOps.com Webinar ReplaysDevOps.com Webinar Replays

Most Read on DevOps.com

What Is a Cloud Operations Engineer?
May 30, 2023 | Gilad David Maayan
Forget Change, Embrace Stability
May 31, 2023 | Don Macvittie
Five Great DevOps Job Opportunities
May 30, 2023 | Mike Vizard
No, Dev Jobs Aren’t Dead: AI Means ‘Everyone’s a Programmer’? ¦ Interesting Intel VPUs
June 1, 2023 | Richi Jennings
Checkmarx Brings Generative AI to SAST and IaC Security Tools
May 31, 2023 | Mike Vizard
  • Home
  • About DevOps.com
  • Meet our Authors
  • Write for DevOps.com
  • Media Kit
  • Sponsor Info
  • Copyright
  • TOS
  • Privacy Policy

Powered by Techstrong Group, Inc.

© 2023 ·Techstrong Group, Inc.All rights reserved.