Winning developer’s trust hasn’t traditionally been top of an enterprise security team’s priorities. Application security and developers often times have an antagonistic relationship, as each department is focused on a contradictory goal, creating a battle between security and competitive innovation.

This scenario is happening in a time when cyberattacks are on the rise. Criminals had a field day when thousands of employees moved from secure firewall protected systems to working on random devices in hastily constructed home offices. The United States Federal Bureau of Investigations reported a 400% increase in cybercrime at the start of the pandemic, and this month the Biden Administration announced plans for stronger sanctions on cybercrime.

Internally, security teams are responding by pushing security further and further left … into the domain of the developer. But, if developers aren’t invested in keeping applications secure, a check-the-box attitude can open loopholes for cyberattack. This is why developers need to be on board when it comes to scaling up open-source security.

“In the industry, we talk a lot about DevSecOps and that security is part of the DevOps process and everything is good,” said Susan StClair (pictured), director of product management at White Source Ltd. “But when you actually talk to people, it’s very much a work in progress. If you really want a shift left to work, you do need to build that buy-in; you do need to build the trust with your extended team.”

StClair spoke with Lisa Martin, host of theCUBE, SiliconANGLE Media’s livestreaming studio, during the AWS Startup Showcase: New Breakthroughs in DevOps, Analytics, and Cloud Management Tools event. They discussed why winning developers’ trust is key to scaling up open-source security for the enterprise and how WhiteSource helps build that trust. (* Disclosure below.)

Is it better to sacrifice security or speed?

When it comes to a choice between baking in security and getting an application out the door, the focus is always on time to market, according to research conducted by WhiteSource for its “DevSecOps Insights Report.” Close to three-quarters of the 560 developers and application security professionals surveyed compromise security to meet deployment deadlines.

The report also found that DevSecOps practices are far from being established. Only 20% described their organization’s DevSecOps as mature, with 62% in process of improving DevSecOps practices.

“What we’ve found as a part of this survey is that the developers often feel forced,” StClair said.

On one hand, they are told that security is shifting left and that they “own” security, but on the other, they’re being pressured to get the application out the door fast.

“They’re really being forced into hard choices of which one to prioritize, and that comes down to a culture thing. What is more important to you, being secure or being competitive?” StClair added.

Smaller application security teams tend to rationalize shifting security to the developer’s plate based on their own overwhelm. But, there’s no easy solution to the security vs. speed dilemma. While AppSec may think “we have all of these developer teams over here and it’s their code and they should fix it,” they forget that developers aren’t trained security experts, according to StClair.

Hiring more cybersecurity staff could be a solution. But the skills gap makes it an impractical one. According to Cyberseek’s interactive heatmap, there is one position open for every two that are filled in the U.S.. That’s 500,000 unfilled jobs, and the situation is mirrored worldwide. The fallout is high burnout from unsustainable workloads, alongside the inevitable security lapses.

Tools help, but only if they’re the right tools. Too often they’re not, according to StClair.

“Because application security is focused on that check-the-box, because they need to do that for a compliance or governance reason, they really haven’t taken into heart the teams that would actually be using [the tools] and having to make the magic happen,” she said.

While developers “live” in tools such as integrated developer environments, code repository software and ticketing systems, “security doesn’t typically care anything about that,” StClair stated.

WhiteSource eliminates 85% of security alerts

This is where WhiteSource rides in to save the day, according to StClair. “If I don’t have the people, and I don’t have the skillsets, first of all [I need] automation,” she said. “The more that we can automate, the better.”

However, automating the scanning process immediately returns hundreds and thousands of insecurities that need to be fixed. “You’re like, ‘Holy moly, where do I even start?’ It’s just completely overwhelming,” StClair stated.

Trust and cooperation between security and developers makes a difference at this point. Communication between the teams means that developers can inform security which libraries are not in use. These are considered false positives as they don’t constitute a severe security risk.

“Having that ability to prioritize where to start and having the alerts based on that really reduces the noise,” StClair explained.

Add in WhiteSource’s ability to automate dependency tracing, and the process is streamlined even further. WhiteSource found that 85% of security alerts can be eliminated in use cases where companies have combined technology and cooperation.

WhiteSource’s auto-remediation solution

While automating the scanning process is extremely beneficial, WhiteSource’s differentiator is that it also automates the remediation process to remove the stress from the developer team.

“We can help development teams that are maybe not security experts, keeping them up to date and giving the automatic remediation,” StClair said.

This helps alleviate the skills gap, because developers can now fix issues without requiring in-depth cybersecurity training. WhiteSource also allows developers to control the level and pace of automation so that they can increase according to their own comfort levels.

With 23% of the Fortune 500 on its customer list, WhiteSource is confident in its platform’s abilities. Citing “large financial companies” that have used the company’s software to shift open-source application security into the hands of the development teams, StClair said: “They’ve really pushed it out to the development teams as part of a repo integration for scanning, for ticket creation, for auto-remediation, and that’s really let them scale beyond just one or two teams to thousands of repos. That is, in my opinion, huge validation that this works.”

Watch the complete video interview below, and be sure to check out more of SiliconANGLE’s and theCUBE’s coverage of the AWS Startup Showcase: New Breakthroughs in DevOps, Analytics, and Cloud Management Tools event. (* Disclosure: White Source Ltd. sponsored this segment of theCUBE. Neither WhiteSource nor other sponsors have editorial control over content on theCUBE or SiliconANGLE.)

Photo: SiliconANGLE