Going beyond compliance: How Secure Code Warrior empowered Netskope developers to code cloud solutions at scale
Going beyond compliance: How Secure Code Warrior empowered Netskope developers to code cloud solutions at scale
.png)
Background
Netskope, a global SASE leader, helps organizations apply zero trust principles and AI/ML innovations to protect data and defend against cyber threats. Fast and easy to use, the Netskope platform provides optimized access and real-time security for people, devices, and data anywhere they go. Netskope helps customers reduce risk, accelerate performance, and get unrivaled visibility into any cloud, web, and private application activity. Thousands of customers trust Netskope and its powerful NewEdge network to address evolving threats, new risks, technology shifts, organizational and network changes, and new regulatory requirements.
Situation
The speed of innovation in cloud computing and A.I. has greatly accelerated the software development lifecycle. James Robinson - Deputy CISO at Netskope - recognized that the way of doing training for developers by meeting compliance objectives with videos about secure development in only a handful of languages was not sustainable in today’s market. Their rapid adoption and rapid change in his organization created a challenge in keeping Netskope developers up to speed on new languages and technologies, but also keeping them skilled at security.
Netskope attempted to create more custom connections to broaden the languages and coverage developers received, but the engagement was still very low and soon, the training began to challenge to productivity. James wanted to shift their approach so that developers were excited about the subject through more hands-on learning approaches.
Action
Training that was done annually, or available ad-hoc, didn’t holistically address the variety of SAST Tools, infrastructure as code scanners, and could be integrated into the CI and CD security steps at Netskope. Netskope needed to be able to integrate developers’ participation in security into the analysis and testing process. That provided a baseline for secure development education that supplemented their compliance requirements.
Shift left
As Netskope began discussing “shift left”, it begged the question - what does shift left actually mean? How far does one need to shift? Leadership made the decision to change the name internally to “self-service adoption”. What this did, in principle, was empower developers to be proactive about their secure code education. In working with Secure Code Warrior, they built a program that made security content visible and accessible to developers so they wouldn’t wander to unvetted solutions.
Actionability and value
The customizable content and a myriad of hands-on learning activities from Secure Code Warrior also opened the floor for more open, productive conversations between security and developer teams. When developers began realizing value, outside of just achieving compliance, they became more engaged and intrigued about security. It also opened up the opportunity to look at critical and recurring vulnerabilities in order to create more educational content to supplement their program.
Results
After rolling out their program, Netskope was diligent in collecting feedback from developers to ensure they were getting the most value from the platform. The results were overwhelmingly positive.
According to James Robinson, Deputy CISO at Netskope:
Our developer team, thanks in large part to Secure Code Warrior’s platform, has successfully shifted left by embracing a more enticing, self-service learning approach that gets learning pathways into the developers’ hands sooner. More importantly, we feel we’re getting a better return on investment with our developer educational training efforts because of higher participation and the fact that these efforts no longer feel like they’re a check-the-box, compliance mandated activity. The byproduct of all of this is that we’re enabling our developers to be security champions.”
Key takeaways
- Organizations that do not invest in a strong application security team allow for more risk to be introduced through their code. This ultimately wastes both time and money fixing vulnerabilities and addressing security issues.
- Take advantage of a program that helps save time with just a couple of key-learnings every month through relevant content, rather than a hour-long compliance oriented annual training. The time saved through educating developers will manifest in the reduction of rework needed to fix vulnerabilities that shouldn’t have been introduced in the first place.
- There is a new mandate to code cloud solutions at scale. Years ago, there was an expectation to get developers fully invested in securing code through one programming language. That is no longer the case in today’s high-tech marketplace. You need to pick multiple languages that align best to the cloud infrastructure and applications a company wants to build out and pursue.
Interested in learning more?
Secure Code Warrior is here for your organization to help you secure code across the entire software development lifecycle and create a culture in which cybersecurity is top of mind. Whether you’re an AppSec Manager, Developer, CISO, or anyone involved in security, we can help your organization reduce risks associated with insecure code.
Related Articles We Recommend
Related Articles We Recommend
Dive into onto our latest secure coding insights on the blog.
Our extensive resource library aims to empower the human approach to secure coding upskilling.
Get the latest research on developer-driven security
Our extensive resource library is full of helpful resources from whitepapers to webinars to get you started with developer-driven secure coding. Explore it now.
Going beyond compliance: How Secure Code Warrior empowered Netskope developers to code cloud solutions at scale
Background
Netskope, a global SASE leader, helps organizations apply zero trust principles and AI/ML innovations to protect data and defend against cyber threats. Fast and easy to use, the Netskope platform provides optimized access and real-time security for people, devices, and data anywhere they go. Netskope helps customers reduce risk, accelerate performance, and get unrivaled visibility into any cloud, web, and private application activity. Thousands of customers trust Netskope and its powerful NewEdge network to address evolving threats, new risks, technology shifts, organizational and network changes, and new regulatory requirements.
Situation
The speed of innovation in cloud computing and A.I. has greatly accelerated the software development lifecycle. James Robinson - Deputy CISO at Netskope - recognized that the way of doing training for developers by meeting compliance objectives with videos about secure development in only a handful of languages was not sustainable in today’s market. Their rapid adoption and rapid change in his organization created a challenge in keeping Netskope developers up to speed on new languages and technologies, but also keeping them skilled at security.
Netskope attempted to create more custom connections to broaden the languages and coverage developers received, but the engagement was still very low and soon, the training began to challenge to productivity. James wanted to shift their approach so that developers were excited about the subject through more hands-on learning approaches.
Action
Training that was done annually, or available ad-hoc, didn’t holistically address the variety of SAST Tools, infrastructure as code scanners, and could be integrated into the CI and CD security steps at Netskope. Netskope needed to be able to integrate developers’ participation in security into the analysis and testing process. That provided a baseline for secure development education that supplemented their compliance requirements.
Shift left
As Netskope began discussing “shift left”, it begged the question - what does shift left actually mean? How far does one need to shift? Leadership made the decision to change the name internally to “self-service adoption”. What this did, in principle, was empower developers to be proactive about their secure code education. In working with Secure Code Warrior, they built a program that made security content visible and accessible to developers so they wouldn’t wander to unvetted solutions.
Actionability and value
The customizable content and a myriad of hands-on learning activities from Secure Code Warrior also opened the floor for more open, productive conversations between security and developer teams. When developers began realizing value, outside of just achieving compliance, they became more engaged and intrigued about security. It also opened up the opportunity to look at critical and recurring vulnerabilities in order to create more educational content to supplement their program.
Results
After rolling out their program, Netskope was diligent in collecting feedback from developers to ensure they were getting the most value from the platform. The results were overwhelmingly positive.
According to James Robinson, Deputy CISO at Netskope:
Our developer team, thanks in large part to Secure Code Warrior’s platform, has successfully shifted left by embracing a more enticing, self-service learning approach that gets learning pathways into the developers’ hands sooner. More importantly, we feel we’re getting a better return on investment with our developer educational training efforts because of higher participation and the fact that these efforts no longer feel like they’re a check-the-box, compliance mandated activity. The byproduct of all of this is that we’re enabling our developers to be security champions.”
Key takeaways
- Organizations that do not invest in a strong application security team allow for more risk to be introduced through their code. This ultimately wastes both time and money fixing vulnerabilities and addressing security issues.
- Take advantage of a program that helps save time with just a couple of key-learnings every month through relevant content, rather than a hour-long compliance oriented annual training. The time saved through educating developers will manifest in the reduction of rework needed to fix vulnerabilities that shouldn’t have been introduced in the first place.
- There is a new mandate to code cloud solutions at scale. Years ago, there was an expectation to get developers fully invested in securing code through one programming language. That is no longer the case in today’s high-tech marketplace. You need to pick multiple languages that align best to the cloud infrastructure and applications a company wants to build out and pursue.
