Skip to content

How to Add Automation into a Secure SDLC

Add Automation into a Secure SDLC

Published on

How to Add Automated Operations into a Seamless Secure Coding Practices Workflow

Many software and app companies have looked to automated operations to create a more streamlined and efficient development process. Adding the right tools to CI/CD workflows can save developers time and alleviate some of the burden of manual work. In DevSecOps, these tools automatically search for vulnerabilities, raise a flag when they find them, and provide information about how to fix them.

It’s important to note that automation will never replace human employees or manual DevSecOps. Think of these tools as similar to your spelling or grammar checker. They can be extraordinarily useful as you’re preparing a document, but they don’t catch every error, and they often lack nuance—most of us have at least one hilarious or embarrassing example of when autocorrect failed us. In the same way that you’ll still need to edit your writing to make sure it says what you want it to, developers will still need to manually check for vulnerabilities in software and app development.

 

How to Incorporate Education Into Automation of Secure Software Engineering

HackEDU can integrate additional tools that fold hands-on security training into the SDLC without interrupting the workflow or distracting from product roadmaps. Studies show that even developers who complete a portion of HackEDU’s education offerings are better able to find and fix code security issues.

In 2020, HackEDU conducted a case study with a large software technology company that wanted to find the ROI on training solutions so it could justify the time developers spent on education. HackEDU found that developers were able to increase their secure coding knowledge by 452% after taking just 12 of HackEDU’s 35 lessons and completing 12 HackEDU challenges. Prior to training, 58% of the developers were unable to find or fix even one vulnerability, resulting in 86% of vulnerabilities slipping through. After training, developers found and fixed 81% of vulnerabilities. 

 

How It Works

HackEDU’s tools integrate with popular SAST and DAST tools, bug bounty platforms, SCA tools, code repositories like GitHub, and issue trackers.

As SAST and DAST tools search for vulnerabilities, HackEDU’s tools will analyze the kinds of errors that are found most often. HackEDU can then assign each developer relevant lessons based on those results. This saves time in two immediate ways: administrators don’t have to think about what they should assign, and each developer will receive a custom learning plan based on which lessons would benefit them the most. In the long-run, these lessons help developers reinforce their knowledge, meaning they make fewer errors over time.

While these tools supplement hands-on training, they don’t disrupt the workflow. Developers are free to make quick fixes while they’re working on the code, then take the suggested lessons when they have time. Each one is a quick bite, about 15 to 20 minutes, so developers can take them while compiling code, waiting for QA to test their code, or during other downtimes within the workday. This way, developers will not spend time training outside of office hours, and the education they complete is directly tied to the work they do.

Organizations can also use HackEDU’s tools to document and manage training. For example, HackEDU’s tracking tools show how much training a developer has completed or if any training is past due. Organizations can reward developers who reach milestones and automatically send reminders to those who need to catch up through Slack, Microsoft Teams, or email.

Alternatively, thanks to HackEDU’s integration with GitHub and other popular code repositories, admins can choose to block developers who are behind on their training from checking in code until they’re current. Or, organizations can specify a minimum amount of training new developers must complete before they can check in code. This can all be done automatically with no admin overhead once an organization decides on the parameters that work best for its teams.