Original Post: Four levels of maturity that bridge the AppSec / engineering divide
The guest post by Jacob Kaplan-Moss, co-creator of Django, explores the often conflicting relationship between Engineering and Security in software development. Kaplan-Moss emphasizes the importance of integrating security checks into continuous integration and delivery (CI/CD) pipelines as a way to enhance collaboration and produce secure code.
-
Introduction: The author describes the longstanding friction between engineering (focused on delivery) and security (focused on risk prevention), advocating for more collaborative practices.
-
Bringing Security along on the CI/CD journey: Engineering teams have incorporated CI as key to quality assurance, but security has lagged behind, often relying on manual processes. Integrating security into CI/CD can improve collaboration and maintain delivery speed while ensuring secure code.
-
Levels of Integration Maturity:
- Level 1: Security finds issues post-deployment, and Engineering fixes them. This can lead to confirmation, regression, systemic issues, and conflict.
- Level 2: Security and Engineering collaboratively produce automated tests which ensure that fixes are verified and guard against regression, improving collaboration.
- Level 3: Both teams work on systemic fixes using tools such as Semgrep to code-scan for potential issues, ensuring a comprehensive security approach.
- Level 4: Proactive issue discovery through threat hunting, continuous learning from security research, engineering-driven penetration testing, and turning these insights into automated checks.
- Next Steps: Teams should evaluate their current level of integration and seek to advance by implementing collaborative practices and adopting security tools for systemic fixes. This progressive approach shifts Security from a reactive to a proactive role, enhancing overall security posture.
By embedding security into the CI/CD process and fostering collaboration between Engineering and Security teams, organizations can ensure robust, secure, and efficient software development.
Go here to read the Original Post