SDLC: ship faster without sacrificing security or quality

Accelerating the development lifecycle without cutting corners is no easy feat but it can be done. While there's no "silver bullet" solution, adopting a security-first mindset and a few workflow best practices can help.

Security as a first-class citizen

Ensuring every line of code is secure is a shared responsibility, meaning security should be top of mind from the very beginning of the development process. Don't wait until the very end to start the conversation around security and check for vulnerabilities.

Whether you have dedicated security experts, or perhaps a lead engineer who's wearing multiple hats, talk about security from the get go so that security issues can be identified earlier, and vulnerabilities can be avoided altogether.

Make smaller changes and commit often.

Perhaps the most critical adjustments to make to your workflow is how you actually write and collaborate on code. When we talk about development speed, a big part of this is transitioning away from developing huge portions of code over long periods of time to making smaller changes more often and making that work visible sooner.

By adopting this practice, it's quicker to perform code reviews and security checks because reviewers are only dealing with a couple of changes. Then, if there is an issue, it becomes much easier to identify the cause because there are fewer new variables to consider.

Involve experts and reviewers early in the development process.

Involving collaborators and reviewers earlier in the development process does two things. First, it can speed up the development process by giving stakeholders an opportunity to anticipate problems before developers begin to write code, and nip them in the bud. It's common to involve your UX team, product managers, and software architects during the planning phase and throughout the code review process, but often security is left out.

Get your security experts involved in the earlier phases of your development process so it doesn't become a bottleneck right before you're trying to release.

Secondly, by keeping all stakeholders involved in the conversation throughout the development process, you can ensure that by the time the code is ready to move into production, most errors have been spotted and corrected.

Get code into staging or test environments earlier.

This goes back to the high-level concept that we want to work on small pieces of code and get them integrated into the mainline branch right away to minimize the risk of something not working, or not accounting for certain things.

"The point of pushing code into production-like environments is to get your feature into a place that looks and functions more like the real world," says Victor. Getting your code into staging or test environments sooner can also help to minimize security risks.

Again, if you're developing in small chunks, involving stakeholders earlier on into those environments, that they can jump into those environments and start testing the feature.

Licensed from https://about.gitlab.com/blog/2017/06/05/speed-security-quality-with-hackerone/