Shifting Left, Moving Forward (Part 2): Practices and a Team-Based Approach to Software Security
How engineering teams are implementing security best practices and why working together is the key to success.
Hello, Cyber Builders🖖
We’re continuing our journey into the dynamic world of software security. In my last post, I shared that we at CyGO Entrepreneurs are deep into a customer discovery project, speaking with various security practitioners, developers, PMs, CTOs, and security officers. This has been an exciting learning process, and it’s clear there’s so much happening in software security.
Last time, we explored why software security is crucial, especially in today’s fast-paced development environments. We’re still in a discovery phase, gathering insights from real-world practitioners. If you missed that post, you could catch up here, where I discussed the initial learnings from these conversations. But now, it’s time to dive deeper.
I’m building on that foundation this week by breaking down the key concepts and core practices engineering teams use to strengthen their security efforts.
In this Post
Key Concepts—This space contains a lot of jargon, and we first clarify that.
Security Practices at Engineering — We examine what practices engineers and developers implement.
Team Work — We close with the teamwork needed and the rituals as a team.
We want this journey to be interactive—so I encourage you to share your thoughts, challenges, or solutions in the comments below or contact our team.
Have you faced friction in implementing security practices?
Are there gaps, or best practices you’ve found invaluable? Let’s keep the conversation going!
If you missed part 1, please see:
Definition of Key Concepts
Product Security
Product security is often confused with corporate security, but they serve distinct purposes in mature organizations like Cisco, which typically have two separate teams:
• Corporate Security (CSIRT): This team manages the security of the IT infrastructure, endpoints, and internal data. They handle internal incidents and threats that target the organization itself.
• Product Security (PSIRT): This team focuses on ensuring the security of products shipped to customers. It works closely with engineering and customers to manage vulnerabilities and ensure security is built into the products, not just bolted on afterward.
Product security is a holistic approach that should cover the entire product lifecycle—from design and development to deployment and post-production monitoring. Security needs to be integrated early, during the design phase, rather than becoming an afterthought.
Do you feel product security is being integrated early enough in your development cycles?
Secure Software Development Life Cycle (Secure SDLC or SDL)
A Secure SDLC refers to the practice of integrating security at every phase of software development. Microsoft SDL and the OWASP SAMM framework have structured approaches to ensuring security, from planning and design to testing and deployment.
While a secure SDLC is process-centric and incredibly effective in large organizations, it can feel overwhelming as a starting point for smaller teams or departments. However, having some basic security steps early on can help avoid many issues!
Have you started implementing a secure SDLC in your organization, and if so, what challenges are you facing?
Software Supply Chain Security
The software supply chain comprises all the components, libraries, tools, and processes used to develop, build, and deliver software products. This includes internal and external elements, such as open-source libraries, third-party dependencies, and proprietary tools.
Securing the software supply chain is now a top priority for many large corporations. These companies may have already locked down their internal infrastructure, but third-party suppliers and vendors often remain a weak link. As a result, cybersecurity requirements are being added to contracts and RFPs (Request for Proposals), forcing suppliers to meet higher compliance standards.
However, there’s often ambiguity around what exactly the software supply chain entails. Does it refer only to external vendors and open-source software, or does it include internal teams and tools used to build it?
The reality is that it’s both—and every part of the chain must be secured.
How are you managing third-party dependencies in your software?
Are you confident in the security of your supply chain?
CI/CD Security
CI/CD stands for Continuous Integration and Continuous Delivery, a practice that allows engineering teams to automatically build, test, and deploy software quickly.
Think of it as the factory where software is made.
However, the ever-changing CI/CD pipelines require strong security measures. CI/CD security protects every step of this process—from the tools and processes involved to the software artifacts produced. Failure to secure the pipeline can lead to vulnerabilities affecting your product and customers.
It is also about using CI/CD to enforce the security tools and ensure that critical issues are not shipped to customers.
How are you securing your CI/CD pipeline?
Are there areas where you see room for improvement?
Shift Left
Shift Left is a security concept emphasizing the importance of integrating security checks and practices earlier in the development process—essentially shifting them left on the project timeline. Traditionally, security checks happen late - way too late! - in the cycle (just before deployment).
Still, with Shift Left, teams aim to catch issues during the design and development phases when it’s easier and cheaper.
Shifting left ensures that security becomes part of the daily development workflow, reducing the chances of vulnerabilities in production. By embedding security into coding, testing, and review processes, you set a solid foundation.
Are you practicing Shift Left in your development cycles?
What benefits or challenges have you seen?
Software Security Practices in Engineering and Product
Building secure software isn’t just about having the right tools but embedding security practices across every development phase. Here’s a breakdown of critical areas where engineering teams should focus their efforts:
Policy
Focus: OWASP Application Security Verification Standard (ASVS), EU Cybersecurity Resilience Act (CRA).
Importance: Security policies are the backbone of a secure development process. You follow best practices and reduce legal and reputational risks by aligning your practices with industry standards like OWASP ASVS and ensuring compliance with regulations like the EU CRA. These policies create a baseline to ensure security is part of every decision made during the product lifecycle.
Design
Focus: Threat modeling, trust boundaries, and High-Level Design (HLD) documentation.
Importance: Security must start at the design phase. By incorporating threat modeling and clearly defining trust boundaries, teams can foresee potential vulnerabilities and attack vectors before writing a code line. HLD documentation ensures that everyone understands the architecture from a security standpoint, minimizing the risk of missed issues later in development.
Code
Focus: Static Application Security Testing (SAST), source code analyzers, vulnerability scanning (e.g., SQL injection, enumeration), Dynamic Application Security Testing (DAST)
Importance: During development, code should be analyzed for vulnerabilities as early as possible using tools like SAST. Identifying issues like SQL injection or enumeration vulnerabilities before code moves into production significantly reduces risk and saves time on costly fixes later on. These practices ensure security is embedded at the core of your codebase.
Dependencies
Focus: Software Composition Analysis (SCA), Software Bill of Materials (SBOM), Open Source Software (OSS) management, and third-party vulnerabilities.
Importance: Software security isn’t just about your code. Modern applications rely heavily on third-party libraries and open-source components, so SCA tools are essential to identifying risks in these dependencies. SBOMs help track and verify the security of external software components, ensuring you’re not introducing vulnerabilities via your supply chain.
CI/CD & Testing
Focus: Automated testing, unit tests, feature testing.
Importance: Every build should undergo rigorous automated testing to catch vulnerabilities early in continuous integration and delivery pipelines. This includes unit tests to validate individual components and feature testing to ensure new functionality doesn’t introduce security risks. Secure CI/CD practices help maintain agility without compromising security.
Leakage
Focus: Secret leakage prevention, misconfigured S3 buckets, exposed API keys.
Importance: It’s alarmingly common for sensitive information like API keys, passwords, or tokens to be unintentionally exposed in public repositories or logs. Preventing secret leakage by securing cloud storage (e.g., S3 buckets) and employing secret management tools is essential to protect sensitive data from falling into the wrong hands.
Runtime
Focus: Penetration testing, hosting environments, Cloud Security Posture Management (CSPM), Web Application Firewalls (WAF), and hardening.
Importance: Security efforts must continue even after deployment. Penetration testing and regular scans of hosting environments can identify vulnerabilities that could emerge post-deployment. Tools like CSPM ensure cloud environments are secure, and implementing WAFs and other hardening techniques protects applications from real-world attacks in runtime environments.
Do not forget the most important - Working Together!
When we talk about teams in software security, we’re not just referring to individual developers or security engineers. We’re talking about the organizational practices that support and strengthen security from a human and cultural perspective. It’s all about working together and continuously improving the security of your software product as a collective effort.
An organizational security culture goes beyond technical measures and is crucial for integrating security into the company's core. This is why it matters.
Firstly, a proactive approach involves organizing teams to prioritize security from the outset of the development lifecycle, preventing issues before they emerge. For example, security champions ensure consistent CI/CD practices and secure coding implementation. Security is not an afterthought but an integral consideration at every product lifecycle stage.
Secondly, embedding security into team rituals decreases the frequency and severity of issues over time. For instance, a well-organized incident response team can swiftly address leaks of sensitive information, preventing minor problems from escalating into major incidents.
Lastly, a well-structured team-focused security effort bridges the gap between technical implementation and human factors, making security a company-wide priority. With an active security guild, every team member feels empowered to contribute to the product's security, ultimately strengthening the organization.
That said, there are also many different practices in the organizational space. We’ve encountered some of them so far.
Key Practices for a Successful Team-based Approach
Security Champions
Appointing security champions within development teams ensures that secure coding practices, testing, and CI/CD processes are consistently applied. These champions act as advocates, helping to bridge the gap between engineering and security and ensuring that security is always at the top of mind during development. They serve as local experts and help keep security on the radar across teams.
Security Guilds
Cross-functional teams or guilds of developers, security engineers, product managers, and other stakeholders work together to improve security practices. This collaboration fosters an environment where everyone contributes to the security conversation. By bringing diverse perspectives together, teams can identify risks earlier and make security a natural part of the development process.
Incident Response Team
A dedicated incident response team ensures quick action when security threats arise. For instance, if sensitive information like API keys or passwords is accidentally leaked, this team can immediately address the issue, contain the breach, and remediate it before it escalates into a more extensive security disaster. A well-prepared response team can differentiate between minor incidents and significant breaches.
Public Disclosure
It’s essential to have a clear protocol for publicly disclosing vulnerabilities to customers or stakeholders. Transparency builds trust, and an organization with a process in place can effectively communicate and manage vulnerabilities when they are discovered. This maintains customer confidence and shows a commitment to handling security responsibly.
Team Awareness & Training
Regular training and awareness programs are essential to reducing human error—a leading cause of security incidents. Security becomes part of the daily workflow by empowering employees at every level with the knowledge to recognize and prevent risks. When teams are well-informed, they are more likely to notice potential issues and act on them quickly, helping to prevent avoidable security breaches.
Building a security guild within your organization creates a foundation where security is not just about tools or technical measures but a shared responsibility ingrained into every part of the company’s culture.
Conclusion: Security is a Team Sport
Ultimately, software security isn’t just about the tools you use or the processes you follow—it’s about working together as a team to create a security-first mindset.
By embedding security into every stage—from policy and design to coding and deployment—you’ll reduce risks, catch vulnerabilities early, and foster a proactive approach to security. Remember, security isn’t a one-time task.
At CyGO Entrepreneurs, we’re in an exciting discovery phase as we build a new platform focused on improving software security. We want to hear from you—whether you’re a developer, security engineer, or product leader—so we can shape this platform to meet the challenges teams face.
Let’s continue building better, safer products as a community of Cyber Builders.
Laurent 💚