Explore: Help organizations elevate DevSecOps maturity
Everyone can contribute. Help move this issue forward while earning points, leveling up and collecting rewards.
Problem Statement
In many companies, proper secure coding and development practices are still lacking or immature. Security teams have a difficult time convincing engineering teams why fixing a give security issue in the code is necessary. Security fixes are often additional work on top of normal product development and it may not be clear why a particular vulnerability is dangerous enough to warrant rising to the top of the list so security teams must attempt to convince and negotiate with teams to get fixes. Providing tools and best practices lists aren't enough; they can only support but will not directly drive the transformational changes in organizational security mindset needed to truly say you have "shifted left".
Objective
Create an experience and functionality in GitLab that allow an organization to improve its DevSecOps maturity by fostering security-first practices. We should also be able to help an organization measure maturity progression by pulling success metrics and markers from our application.
The idea to explore here is ways to naturally encourage engineering teams to address security issues and incorporate this discipline as part of their process. This could be anything from in-context education about introduced security vulnerabilities to gamification of the remediation process. We should also look for opportunities to improve communication and remove friction between security and engineering teams as they work inside GitLab.
Relevant Tools and Topics
- DevSecOps maturity model from our marketing team
- https://vectr.io/ - Measure progress towards implementing MITRE ATT&CK
Reach
The impacted users are:
The impacted buyers are:
6.0 = Impacts a large percentage (~50% to ~80%) of the above.
This is potentially on the low side as almost any company doing in house development would benefit. Addressing the challenge of moving an organization to being security-first is potentially a large incentive for Ultimate adoption.
Impact
3.0 = Massive impact
From the referenced article, the financial impact of security breaches is rising into the trillions of (US) dollars annually. The only way to slow and eventually reverse this upward trend is by addressing the underlying cause of most exploited vulnerabilities: fix security defects in software before they are ever released and become exploitable.
Confidence
80% = Medium confidence
This is again a conservative estimate. The primary reason is security is often a harder sell outside of security teams as solutions are traditionally seen as costly and complex. Those on the security team advocating for better tools and processes are not always able to make organization-wide decisions that impact the fundamental workflows of those in other departments (for instance, development).
On the flip side, the need for better security is broadly accepted; it is the speed with which this acceptance translates into organizational change—and spending—that varies.
Evidence:
- Desire for but lack of proper security-first coding practices highlighted by X security professionals in recent UX interviews
Effort
27
I expect it would take no less than 3 months with the full Threat Insights team (including PM and UX) to implement enough of a solution to address this challenge. This would include not only the basic experience to encourage secure coding but also the features to help an organization measure and drive improvement of their engineering security maturity.