March 24, 2023 Can Development Velocity and Security Coexist?

Manufacturers developing custom software can’t afford to sacrifice security for speed to market.

Developing custom software is no longer exclusively for software businesses. Other industries including manufacturers are dipping their toes into this space, launching their own products, building new platforms, or updating offerings for monetization.

But there’s a problem: developing custom code is expensive so product development may be rushed to speed return on costly investments. High developer velocity can have a positive business impact, including faster revenue growth and higher shareholder returns, but prioritizing growth over care isn’t always a good thing.

Reducing development velocity seems like the obvious solution, but that could put you behind competitors. Speed to Market, after all, dictates how fast manufacturers will deliver products to customers and, crucially, whether they’re faster than the competition to gain market advantage.

Why does that matter to dev teams? Development involves many links in the chain which need to work together to produce a successful, secure product on time. Failures send a ripple effect through internal operations and have a knock-on effect on other departments.

Measuring Development Velocity

A software development team needs to compare what it promised to do with what it accomplished. Lack of consistency would make accurate project planning virtually impossible.

While measuring development velocity is specific to every team, there are general guidelines. You should aim to measure the quality of code and the speed at which that code was written. More quantitatively, you could measure based on two methods:

Story point-based measurement: Story points are a unit of measure for estimating the total effort needed to implement a product backlog item. Based on these story points, total development team velocity can be calculated based on the number of backlog items completed in a given period.

Time-based measurement: For this method, development velocity is measured based on the number of hours used to complete each task. You can use this in projects where the scope is determined upfront. 

Security and Velocity Don’t Need to Be Mutually Exclusive

Five steps can be used to maintain high development velocity without compromising on security.

Contribute to a Communication Culture
Culture can make or break the way teams work. Good communication encourages problem-solving and experimentation and creates a better work environment. A recent McKinsey study found that companies in the top quartile of the Development Velocity Index (DVI) scored 55% higher on innovation scores.

A good communication culture requires sharing knowledge and ideas, admitting mistakes, learning from failures, and asking for feedback, making it easier to develop best practices for security. Doing this enables developers to feel comfortable giving their thoughts, leading to a collaborative environment with continuous improvement and shared goals. 

Adopt and Integrate DevSecOps
Integrating DevSecOps at every stage of SDLC helps in prioritizing risks without compromising developer agility to stay on track for business and personal KPIs. DevSecOps elevates the DevOps process by automating security at every stage of SDLC, from initial design to production. 

Find and Fix Vulnerabilities Early
If you think customers won’t notice security, design, and production flaws, think again. While poor experiences can mean customers stop using your product, there are more dangerous risks including data breaches, financial losses, and PR nightmares. Finding and fixing vulnerabilities early makes the development process more cost-effective because security issues are more expensive to fix in the future. 

Take Ownership to Keep Your Secrets Safe
Leaked secrets can impact the velocity of the development process and the security of your whole operation. Fortunately, it’s an avoidable problem. 

Providing team members and fellow developers with comprehensive training on security best practices encourages them to take ownership to protect their secrets. Taking an agile approach and trusting in each other’s expertise helps devs agree on security and compliance and work more efficiently.

Alternatively, secret management tools can be used to store sensitive data and keep credentials organized and accessible to the right people. Tools ensure that the encryption and decryption lifecycle is completed correctly, eliminating delays caused by flaws, breaches, and leaks.

Use AI-Driven Tools
The rise of AI is reducing manual work for developers by equipping them with tools to complete test automation, coding, continuous integration tasks, and more. IBM notes that AI tools potentially can change architecture, team structure, and engineering principles, but only when team leaders and devs establish an AI playbook outlining KPIs and success metrics.

Applying automation to the security detection process also gives devs time to focus on other priorities. Automated security solutions scan your codebase to interpret data patterns, identify errors, and quickly alert devs to any security flaws that require a swift resolution.

In the end, the right tools and knowledge can help projects to maintain development velocity and avoid vulnerabilities and security loopholes.

Dotan Nahum is the Head of Developer-First Security at Check Point Software Technologies. Dotan was the co-founder and CEO at Spectralops, which was acquired by Check Point Software, and now is the Head of Developer-First Security. Dotan is an experienced hands-on technological guru & code ninja. Major open-source contributor. High expertise with React, Node.js, Go, React Native, distributed systems and infrastructure (Hadoop, Spark, Docker, AWS, etc.). https://www.checkpoint.com/.

Subscribe to Industry Today