In a world where one data breach is all it takes to destroy a business, only the prepared and vigilant ones that embrace security in their operations can prevent disaster. Yet, if you ask most developers about security, they will crease up their faces into an irritated frown. Security is seen by developers as the domain of the AppSec team, who have the unenviable task of scanning code and reporting to the development team that their code is insecure or indeed, entirely unusable. AppSec teams are often viewed as the sticks in the mud that pick apart good work, halt innovation, and generally create a headache for developers. To put this into a real-world example, imagine the following:
- A developer happily codes away in the IDE within their own local branch.
- They then commit the code and push it to a new remote branch using a Code Management Tool, such as GitHub.
- Then, they navigate to the repository on the Code Management Tool and create a pull request.
- The reviewer checks the code and leaves comments, as necessary.
- The developer makes the required changes outlined by the reviewer and the pull request is then merged onto the master branch.
- The developer happily continues to his/her next task and then BOOM – the developer receives security bugs from the AppSec team, on the code that was already merged.
- The developer has to drop everything and go back to fixing the code they thought they were already done with.