Involve security teams in development
Involve the security teams early in the development process
Security teams must work together with development teams, so that applications are built with security in mind from day one and it’s not added at the last minute.
if security teams criticize developers one minute before the deploy to production, a constructive relationsihip is not created. It is a foundational that those areas form a relationship early in the project, planning the necessary protection for each application from the beginning, or at least from the first prototype.
In later phases are other recommendations related to this one:
Risk Mitigation
- Application security vulnerabilities that get to production often are related to lack of time to remediate, because of late involvement of security teams, application vulnerabilities are often exposed to the public, as web ports are typically open to serve the web applications, becomming a point of entry for adversaries.
Guidance for assessments
- How is your security team working with the development teams ? proactive ? reactive ?
- Are architectural decisions decided with someone from the security team on the design phase of your application ?
- Is the security team providing early guidance on security best practices to the development team ?
- Is the security team involved early on application security reviews ?
- How close to launch date is the security team invovled ?
- Is the security team easily reacheable for developers to answer their doubts ?