Rough Security Reviews in Roanoke

Hey Sloan,

 I’m an Application Security Manager at a mid-size company. About a year ago, my company adopted DevOps practices, with hopes for more frequent releases and getting a better feedback loop for our product. Since then, every release feels like a game of whack-a-mole with new vulnerabilities from our dependencies! Security reviews are causing some tension in the office, too, since my team is often holding up releases . I could really use some advice for expediting our security reviews while keeping our standards high.

Rough Reviews in Roanoke

I’m so glad you asked!

Managing risks from the third-party software components in your software supply chains is tricky business, but to me, this sounds like a process hiccup.  As part of your new DevOps process, security needs to get involved earlier in the software development lifecycle (SDLC). This way, Application Security can be an ally to the development teams instead of a hurdle for releases. I have a couple of ideas to empower your development teams and make mitigating vulnerabilities easier.

Establish a comprehensive component evaluation process

Work with your development teams to establish a robust evaluation process for third-party software components. Having a clear and rigid process for adding new dependencies will limit new vulnerabilities and keep the developers from being surprised down the line. When evaluating components, consider the creator’s reputation and responsiveness to vulnerabilities. Thoroughly assess your needs along with the design and quality of the package to identify potential risks. 

Offer training and security resources to development teams

The developers you work with can’t pick secure components if they don’t know how. As the Application Security team, you’re the expert on selecting secure components and identifying vulnerabilities. Offer regular training and tools to help development teams pick better components from the start.

Implement a proactive monitoring and vulnerability-scanning tool across your applications

New vulnerabilities don’t just come from new dependencies. They’re discovered all the time in existing components. A Software Composition Analysis (SCA) tool with continuous monitoring capabilities can give security and development teams a heads up about new vulnerabilities. This way, you empower developers to remediate vulnerabilities before release. Collaborate with your development teams to address and mitigate these vulnerabilities through patching, updates, or replacement.

Develop a comprehensive plan for handling new vulnerabilities

Define roles for all stakeholders on both development and security teams. This plan should also define communication channels and create incident-response procedures for handling vulnerabilities. Regularly update the plan to ensure it’s relevant and effective. Commit to following the plan and insist that others do the same.

The Final Word

By embracing a collaborative approach with your development teams, you can fortify your software supply chain and expedite releases.

Remember, in a DevOps transformation, you’re changing how your teams interact with each other to break down silos and build faster. It’s your job as the Application Security team to be a good partner in this process. Working with development teams early will save both your teams lots of time. Security will have fewer issues to address before releases, and development will have less rework after your security audit. By collaborating from the start, you’ll be in position to claim the ever-elusive “win-win”.