Challenges in Engaging Developers on Security

Security doesn't depend on Dev for vulnerabilities to exist. But… 1. Dev depends on Security for compliance sign-off. 2. Ops depends on Security for deployment approvals. 3. Product depends on Security for feature releases. 4. Business depends on Security for customer trust. The entire delivery pipeline hinges on how Security operates. Yet some Security teams treat developer experience like it's not their problem. Slow approval processes that take days. Unclear requirements that change mid-sprint. Manual checks that could be automated. Security gates that block without clear remediation paths. "We found issues" without explaining what or how to fix. "This can't go to production" without alternative solutions. "That's not secure" without documented standards. Then they wonder why developers route around security controls. Why shadow IT emerges. Why technical debt piles up. Why vulnerabilities slip through. Here's what actually works: 1. Clear security guidelines before development starts. 2. Automated security checks in the CI/CD pipeline. 3. Fast feedback loops with actionable results. 4. Self-service tools that don't require security approval for every change. 5. Documentation that developers can actually follow. 6. Risk-based prioritisation instead of blocking everything. Security should enable delivery, not prevent it. Your job isn't to say no. It's to show developers how to say yes securely. Build guardrails, not roadblocks. Automate gates, don't add manual checkpoints. Provide tools, not tickets. When Security becomes a bottleneck, the business moves on without you. When Security enables velocity, you become indispensable. The best Security teams make secure development the path of least resistance. They understand that developer experience is security's problem too. Because if it's hard to do securely, people will do it insecurely. Make security easy, fast, and clear. Or watch your controls get bypassed

Security friction with developers usually comes from how risk gets framed, not from people not caring. I still hear security folks say developers do not care about security, or worse, that they are careless or dumb. I have not seen that hold up in real teams. I came from writing code before moving into AppSec, and the developers I worked with cared deeply about quality, uptime, and not being the person who caused an incident. What they pushed back on was urgency without context. This tension shows up when security treats every finding as an emergency. A vulnerability shows up in a scan and the message becomes simple and absolute. Fix this now or we will get breached. When the response to any disagreement is you do not care about security, trust breaks fast. What has worked for me is grounding risk in how systems actually behave in production. Here is how I approach it in practice: - Start with exploitability, not severity labels. Is there a path from the internet to the code, or is this buried behind auth, network controls, and feature flags. - Talk through compensating controls that already exist. Rate limiting, WAF rules, service to service auth, monitoring, and rollback plans all matter. - Be clear about likelihood and blast radius. A low likelihood issue in a low impact service should not be framed the same as a reachable auth bypass. - Separate urgent fixes from planned work. Some issues need a hotfix. Most belong in normal backlog flow with a clear owner and timeline. - When you frame security this way, developers stop feeling accused and start engaging. The conversation shifts from you must fix this now to here is the risk, here is what reduces it today, and here is what we should improve next. Security is not binary, systems are layered and risk is contextual. Where do you see these conversations breaking down most in your org?

In my 100+ buyer interviews I’ve had with cybersecurity practiomers, a recurring theme surfaces: Understanding their audience is just as important as it is for marketers. Consider the various security domains: many teams play a role in its success, each with its unique mindset. For instance, developers and their role in security. A developer is not a regular techie. In fact, they are not a techie at all. A developer is a creative person. And if you put any constraints on a creative person, you will kill their creativity. Stay with me here. Security professionals may not be able to wholly understand them but they have to try to listen and hear them in order to simplify their lives, foster collaboration, enable them to innovate securely and drive business success. If not, many developers will continue to run blindly into the cloud, building new infrastructure and applications without considering the bigger picture. Risky, eh? Brutally honest insights from TJ (Tsion) Gonen of Check Point Software Technologies Ltd and Dmitriy Sokolovskiy, CISSP, QTE. (Seriously two of my favorite people. 🙌) So, how security pros can make developers lives easier: 1. Simplify and standardize cloud processes to reduce complexity and uncertainty. 2. Focus on making it easier for developers to do the right thing rather than adding roadblocks. 3. Use the language and tools that developers are familiar with to integrate security into their workflow seamlessly. 4. Automate security processes where possible to streamline development and reduce manual errors. 5. Provide ongoing education and training for developers to help them understand the importance of security and how to implement it effectively. 6. Foster a culture of collaboration and communication between security professionals and developers to ensure that security is an integral part of the development process. 🔥 Such critical insight unraveled in less than 56 minutes. Listen to the full episode in the comments below ↓ #informationsecurity #customerresearch #audience1st

In security, we suffer from “Physics Envy.” We love to pretend the enterprise is an engineering problem. Deterministic. Linear. Input: Deploy Control X. Output: Risk Y goes down. But security isn’t physics. It’s Economics. When you treat people like “bugs in the system,” you are making a category error. You are trying to debug a line of code, when you should be analyzing a market. If a Sales VP bypasses MFA to close a deal, they aren’t being “difficult”, they’re engaging in rational economic behavior: The payoff for the deal (bonus) is higher than the payoff for security compliance (zero). The user who bypasses your DLP controls isn’t “malfunctioning.” They are engaging in regulatory arbitrage. They have calculated that the cost of your friction is higher than the perceived cost of the risk, so they routed around you. That is market efficiency, not stupidity. The developer who hardcodes secrets isn’t “ignorant.” They are responding to a misaligned incentive structure where they are paid for velocity (shipping features) but taxed for security (managing vaults). As long as we act like Engineers, we will keep trying to “patch” human behavior with more training and stricter policies. But you cannot patch a payoff matrix. If you want to actually reduce risk, stop acting like a mechanic trying to fix a broken engine, and start acting like an Economist designing a better market. Don’t ask: “How do I force them to do it?” Ask: “Why is the insecure path currently the most profitable one for them?” The bug isn’t the user. The bug is the mechanism. #Cybersecurity #MechanismDesign #CISO #RiskStrategy #Leadership #TheIdentityNavigator #IdentityNavigator

The security industry has often portrayed developers as apathetic, ignorant folks who are tardy and don’t care about security or its outcomes I think that’s a ridiculous take that, in many ways, has cast security in a bad and adversarial light. I feel that a large part of the problem happens to be with how security has engaged with developers First off. Take most developer security training programs. They’re just a collection of dos and donts with simplistic “spot the bug” type lessons that don’t engage, and certainly don’t educate. It’s lazy and it comes through. For them to make sense of it, they need real-world things that they can do. This gets them to understand the stakes of the issue they deal with and truly bring some skin in the game in terms of security outcomes for things they build. Second. We have mystified security testing and treated it like some “lost dark art” that mere mortals never understand. The reality is quite different. A lot of security testing is really an extension of testing for acceptable criteria for a given feature. This needs to be mapped out and implemented as such. Want to make developers take security seriously. Make it a part of quality. Third. Vulnerability management. I often see companies going around in circles fixing the same vulnerabilities and then seeing them occur repeatedly in every cycle. Almost like “Groundhog day” for vulnerabilities. These sort of patterns are painful to all involved. You need to break the cycle with secure default libraries or implementations that allow you to eliminate entire classes of flaws.

As an application security leader, I admit I've thrown too many invalid results over the wall at the developers. It's embarrassing because as a developer myself, part of the reason I wanted to join the cybersecurity industry was to share my perspective and be an advocate for the developers, having experienced plenty of negative interaction with security teams in the past. Here's what I faced that led me to the decisions I made: - Leadership (and self-imposed) pressure to show early wins and value from my efforts that should have been resisted by setting clearer expectations. - Promises from the chosen tool vendor about result accuracy that should have been better validated and triaged before sharing with the devs. - Security team resource constraints that led me to decide to rely too much on the developer's time and expertise as opposed to my team's. - Compliance requirements that went only as far as showing scan results, without regard to effective remediation. The decisions were made carefully, methodically, and logically, but they led me down the wrong path. All I can say is I have clear firsthand lessons from all of this, and I now have a very strong and compelling case for the strategy I employ based on this experience. The developers' time is the lifeblood of a successful software product/solution. I believe we in the cybersecurity industry need to help the developers as much as possible and pursue the following, with the assistance of AI/LLMs: - More accurate security scan tool results through technology advancements - At least initial "low-hanging fruit" triage efforts from the security team - Tuning and phasing the rollout of tool scan results, starting with the result classes most likely to be accurate - Accurate codebase mapping for refactor and fix recommendations - Automated exploit examples to help build a strong case for fixing - Severity/prioritization that takes into account the "full picture" of the environment through asset inventory and an understanding of the compensating controls #securitychampions #securityculture #securityawareness #applicationsecurity #productsecurity #softwaresecurity #gamification #proactivesecurity

Even in 2025, Security Posture and Development Velocity are still widely regarded as mutually exclusive, often perceived as goals that can be achieved only at the expense of one another rather than together. But it’s not because the teams are misaligned. It’s because the security tools are outdated. Modern software is API-first, distributed, and deployed weekly, sometimes even hourly. But most security tools were built for a different era. They were designed for static web apps, not dynamic, interconnected services. Hence when they test, monitor, or protect your applications, they flood security teams with thousands of alerts that lack context, urgency, or information about their severity. They don’t know what’s normal. They can’t understand, let alone simulate and defend business logic. That’s why developers tune them out. And security teams burn out. And businesses start seeing security as a blocker rather than a growth enabler. At Levo.ai, we built a different model. Shift-left modules (security testing & monitoring) and production modules (threat detection and blocking) that are built on top of complete runtime visibility. This is why every generated alert, threat, and vulnerability is real and exploitable, comes with reproduction logic, and real-world context. Alerts are mapped to the right application, developer, and service, and pushed directly into the dev dashboards via Slack, Splunk, Jira, and Teams. With our MCP Server, developers can even produce the exact patch code needed for vulnerability remediation. The result? Developers don’t lose momentum. Security doesn’t lose trust. And enterprises no longer have to choose between growth and security. Go through the below clip, where I and Nabil Hannan discuss the same in NetSPI's Agent of Influence podcast. #cybersecurity #applicationsecurity #growth #software

For decades, we treated code security like a final exam. A developer writes lines of code, and just before release, a security expert shows up with a red pen to circle all the flaws. It’s the Work as Imagined auditing the Work as Done at the worst moment. It creates a high-stakes battle between ship it and fix it. Security realised this was a failing strategy, so security evolved from QC to Quality Assurance (QA). We shifted left, giving developers scanners and linters to run while coding. This was transformative; we’re improving the process, not just checking final product. However, we still rely on developers to choose security. And often, only when someone with security in their title nudges and cajoles to make it happen. A developer on a tight deadline, facing a scanner that takes 20 minutes or produces 500 vague issues, will skip the scan or accept the risk. If the system allows it to be bypassed, it will be. The next step is Total Quality Management (TQM). TQM makes security the path of least resistance. It makes it functionally impossible for code to go into production if it doesn't meet the agreed security standard. It is a pull request that cannot be merged until an automated, non-negotiable security check passes. It’s a GitHub Action that fails the build, loudly and automatically, if a hard-coded secret is detected. In this model, the Work as Imagined policy is no longer a PDF. The policy is the pipeline. The Work as Done is automatically and inescapably measured, not by a human auditor, but by the system itself. Crucially, this doesn't mean creating a giant, slow pipeline. A TQM framework for security uses context-based security tests. It understands the difference between a CI build and a CD release. A vulnerability in a development environment might just trigger a warning; that same vulnerability merging into production is an automatic block. This same logic applies to Infra as Code. Asking a developer to scan their code on their own desktop is good QA, but it’s optional. The next step is enforcing rules automatically in the pipeline. But this too creates a context challenge. Blocking a build for a minor issue in an early development environment wastes time and creates frustration, training engineers to ignore the system. Flexible policies understand release context. This adaptability stops developers from ignoring the alerts and ensures real issues get fixed. The shift allows security to improve DORA metrics, such as deployment frequency, MTTR, and Lead Time for Changes. Integrating security in engineering metrics encourages developers to secure the SDLC. Security stops being a conversation about rules and becomes a simple, observable, structural guarantee built into the work at machine rather than human speed. This post is a collaboration with Charlie Banyard after my post last week (link in comments). We focused on orgs that build software, and concluded the aim is to make security inevitable. Up next - identity.

One of the most overlooked challenges in #AppSec is getting #developers to actually use security tools. Take #security IDE plugins - adoption is notoriously low, especially in companies with more than 50 devs. #MCP sounds promising, but it has the same problem. Why? Because it still requires manual activation: ✅ Install a local MCP server (easy enough) ❌ Then, explicitly ask your AI assistant to scan with the security tool behind MCP - every time. In fact, it’s often easier to just use the IDE plugin instead. 🤷 Optional security doesn’t scale. If developers need to take extra steps to trigger it, most won’t. That’s not negligence - it’s workflow reality. The alternative? Security that just happens - integrated natively, scanning every change without asking developers to do a thing. It’s not about more tools. It’s about removing friction.

🚨 Your security team might be the reason developers hate security While security teams buy more vulnerability scanners and flood developers with CVSS alerts, companies like Netflix and Google are doing something completely different. They're building "guardrails, not gates." Instead of blocking developers with approval processes, they're creating platforms where security is the easy path. The result? Developers actually choose the secure option because it's faster and easier. Meanwhile, most security teams are still chasing OWASP Top 10 vulnerabilities from 2003 while developers ship AI features with completely new risk profiles. The fix isn't more tools. It's better developer experience. I wrote about how to transform your security team from "department of no" to developer enabler, with real examples from big tech companies. Link in comments 👇 What's your experience? Are security and development friends or enemies at your company? #CyberSecurity #DevSecOps #SDLC #Security #DevOps #SecurityEngineering #PlatformEngineering #DeveloperExperience #InfoSec