When an application is finally ready for deployment, the last thing the development team wants to hear is: "Stop! There’s a security issue." And then, after months of painstaking work, their application launch is delayed even further.
That's why Discover® Financial Service’s product security and application development teams worked together to shift security left by integrating security by design and conducting early security testing often to identify vulnerabilities prior to hitting deployment.
"If you want to make a change, make it in the early stages of the software development lifecycle," said Pratiksha Panesar, director of cybersecurity at Discover Financial Services. "Once you get to the right side of the software development life cycle, making changes becomes expensive and you must go back to the drawing board. So, how can we instill the security mindset, tooling, and process more to the left to minimize disruption?"
Here's a look at how Discover uses technology to catch vulnerabilities early and evangelize security throughout the organization.
Scanning for vulnerabilities at each stage
Most Discover development teams use a single system to build, test, and launch their applications and products: it’s a CI/CD pipeline we internally call the Trident Pipeline. This pipeline helps move products to market faster and create a standardized process for application deployment.
So, how does the Discover security team keep an eye on vulnerability risks at every stage of development? By integrating their solutions into the Trident Pipeline.
"We leverage our internal processes and capabilities to integrate security right at the design stage with threat modeling, continuing with scanning tools from the integrated development environment (IDE) stage to deployment," Panesar said. "The tools not only flag vulnerabilities but also provide just-in-time remediation guidance to the application teams. We are continuing to build new capabilities to provide business context and the risk related to the vulnerabilities."
Appointing security advocates within development teams
Discover also runs the Security Champions program to identify security advocates within each application team. These advocates can help identify risks and misconfigurations in the code and receive training on how to address them.
"Security Champions are, essentially, an extension of the security team, helping to scale application security to the developers who build the products and applications," Panesar said. “If we see they’re running into security vulnerabilities early, we'll say, 'How can we coach you so you can coach your own application team?'"
Inspiring action with shared knowledge
The security team also empowers developers to address security issues by providing them with tutorials and frameworks for doing so.
"We have implemented several capabilities from bots to advisory support for the application teams to understand the risk and manage it at the optimum level. We realize there are multiple ways to address a specific vulnerability. We want developers to be productive and not spend time trying to figure out the remediation path that has been solved for otherwise," said Panesar.
That's why the security team created a Golden Paths document for heeding these warnings. Golden Paths is comprised of guides, tutorials, best practices, and shared knowledge from across Discover to help developers complete specific tasks — so they can get back to coding.
“Some teams know they have to shift left with security, but they don’t know how to do it in a meaningful way," Panesar said. "That’s where our Golden Process documents can help. They say, ‘Don’t wait until the last moment. There are a number of ways you can be aware of vulnerabilities, fix them, get the disposition ahead of time.'"
Conclusion
The Cybersecurity and Infrastructure Security Agency recently published guidance for building cybersecurity into the design for products. At Discover, we started the effort two years ago by publishing security on functional requirements and integrating that into the design phase of the product delivery framework and furthered that approach with incorporating threat modeling, secure design reviews, and secure development framework. This is an ongoing journey, but we are laser focused on improving the reliability of our products while improving developer productivity.
"I'm incredibly proud of how technologists at Discover have collaborated to shift left on security. The way our team has scaled security into the SDLC enables Discover to increase product velocity and achieve its mission of becoming a top digital financial services firm," said Shaun Khalfan, Chief Information Security Officer at Discover.
