Before, security was the last thing on app developers' minds.
But increasingly, developers are "shifting left," says Dr. Nicole Forsgren, who works in research and strategy at Google Cloud — meaning that developers are thinking about securing their apps much earlier in the process. In other words, developers are starting to test for security requirements and scan for vulnerabilities as they create, not after.
That philosophy is increasingly on display not only at Google Cloud itself, Forsgren said, but increasingly in the industry at large, as well.
To prove it, Forsgren points to a report that Google Cloud first published in August, in collaboration with the cybersecurity company Capsule8, with data from over 31,000 professionals worldwide about their security and development practices.
Six years of research
Forsgren says this report was the culmination of six years of research, starting when she was the founder and CEO of a firm called DevOps Research and Assessment (DORA). Google originally partnered with DORA to better understand the field of DevOps, a philosophy of combining development and operations to deliver more software faster. Google Cloud acquired DORA in December, bringing some of the top DevOps experts under its umbrella.
Her research shows that rather than having separate security and developer teams, security needs to be better incorporated into the development process, Forsgren says. "Shifting left" includes creating security-based tests and inviting information security professionals to demonstrations of their software early on.
"I'm really excited to see how many more organizations, not enough but many of them are starting to integrate security better into the process," Forsgren told Business Insider. "Security is super important. We just don't have enough security professionals. If we can embrace what's happening there, there's fantastic potential."
The benefit of shifting left is that developers don't have to spend as much time having to fix security bugs once all the code is already close to finished – because they already addressed them earlier. It means being able to get back to coding new features and products, rather than fixing flaws and vulnerability.
"This whole shifting left is really about reducing costs," Maya Kaczorowski, product manager at Google, told Business Insider. "If I can fix something before it ends up in production, it saves me time if it were to breach. It saves me time figuring out where I was affected. There's a very clear business case to why I want to do this earlier."
Thinking with a 'security mindset'
What employees can do to improve the development process at their company is to help teach the rest of their organization to think with a "security mindset," says Kelly Shortridge, vice president of product strategy at Capsule8.
"We should bake security into everything the organization does," Shortridge told Business Insider. "If we keep treating security as this arcane mystical art, we shouldn't be surprised when an organization doesn't embed security into these processes."
For example, she says, companies should think from the attacker's point of view when securing their software. Most likely, she says, attackers will try to find the easiest and cheapest way to engineer an attack, such as phishing — where an attacker pretends to be a bank, IT manager, or other trusted figure in order to get password and personal info.
Shortridge predicts that in the future, the industry will see a "dismantling of the traditional security team." She says that rather than having separate security teams that reach out to engineering teams, these teams will join together.
"One problem security has a lot of the time is there's this notion you're going to meet a perfect state of pure security and sit on a mountain and gaze on it from above and everything will be alright, but that's just a fantasy," Shortridge said.
Improving cybersecurity also has a cultural aspect, Forsgren says. Within Google Cloud, it's working on improving productivity by improving work-life balance and preventing burnout.
"What it really means is finding this great workflow," Forsgren said. "I'm sure we've seen this. We can get complex tasks done. The opposite is we seem to be busy all day long and you get nothing done."
This includes making security tools easier to use and making information about security more accessible so that employees can be more productive, Shortridge says.
One example she's seen is having bots set up on the Slack chat app, which employees can use to ask about security policies, meaning the security team can spend less time answering the same questions over and over.
She also says employees can burn out from tasks like managing security configurations and maintaining documentation.
"Overall it's a lot of headaches and that contributes to burnout," Shortridge said. "Anything that can help analysts feel more productive, having to fight fewer fires, feeling less like they have the whole weight of the world on their shoulders can help alleviate burnout, which could be a fantastic thing for the industry."