What is developer-first security?
Developer-first security is an emerging DevSecOps approach that puts security tools directly into developers’ hands, within their IDEs and workflows, so they can identify and fix vulnerabilities early in the software development lifecycle.
Developer-first security is a DevSecOps approach that puts security tools directly into developers' hands within their IDEs and workflows. Developers identify and fix vulnerabilities early in the software development lifecycle rather than after code is committed.
This approach is also called in-context security because security controls operate within the development environment where code is written.
Research shows that a majority of organisations experience security breaches annually. Code is now the primary target rather than infrastructure, making application security critical.
Why is open source code a security concern?
Estimates suggest 60% to 90% of applications consist of open source code. Open source code is inherently more likely to contain vulnerabilities and malicious code than code generated from scratch.
Why do developers use open source despite the risk?
Developers face ever-tightening deadlines while trying to deliver quality code. Open source components are an understandable choice for busy developers even with associated security risks.
Traditional security operated as a separate organisation that reviewed code after commitment. Security teams found issues and demanded changes from developers who had already moved to the next project.
Why did traditional security cause friction?
Security was not just an afterthought, it was a top-down experience delivered by people far removed from development challenges. This approach frustrated everyone involved and created adversarial relationships.
The goal of DevSecOps was to build on the silo-busting that happened when DevOps was implemented — now dev, ops, and security all work together. It’s still early days, but our 2022 Global DevSecOps Survey showed promising signs: almost 29% of security professionals said they’re now part of a cross-functional security team, and 57% of security team members said their organizations have either shifted security left or are planning to this year.
Are developer-security relations improving?
Friction remains between developers and security, but there are signs that relations are improving. In 2022, fewer security professionals complained about vulnerabilities being identified late in the software development lifecycle or about difficulty getting developers to address security risks.
From the developer side, over half of developers said they are “fully responsible” for security in their organizations, while another 39% said they feel responsible for security as part of a larger team.
In-context security gives developers security tools that live in their IDE. These tools empower developers to find and fix security issues painlessly without leaving their development environment.
Key to the success of developer-first security is a change in perspectives on both sides. Security professionals need to remember developers wear a lot of hats (coding, testing, security, and even some operations functions).
Moving security in with the development team, ensuring teams have the right mix of skills, and creating a collegial environment will go a long way toward a successful developer-first security effort.
Success requires perspective changes on both sides. Security professionals and developers must adapt their approaches and attitudes toward each other.
Developers must be open to process changes and excited about contributing to code security meaningfully. Embracing security as part of the development role is essential.
How do you implement developer-first security?
Three elements create successful developer-first security programmes:
- Move security into the development team: Embed security expertise where code is written
- Ensure the right skills mix: Teams need both development and security capabilities
- Create a collegial environment: Collaboration replaces adversarial relationships
Developer-first security delivers multiple advantages over traditional approaches.
Developer-first security reduces vulnerabilities
Finding vulnerabilities during coding is easier and cheaper than finding them after deployment. Developers fix issues immediately rather than revisiting old code.
Developer-first security improves speed
Security becomes part of the natural coding workflow rather than a separate review phase. Development velocity increases when security does not create bottlenecks.
Developer-first security improves developer experience
Developers use familiar tools in their IDE rather than switching to separate security applications. This reduces context switching and integrates security into existing workflows which improves developer experience.
DevSecOps with GitLab
Frequently Asked Questions
Frequently Asked Questions
Developer-first security is an approach that integrates security tools directly into a developer's environment, such as their IDE. It empowers developers to identify, test, and fix security issues early in the software development process, as part of their everyday workflow.
Unlike traditional security models where issues are addressed after development, developer-first security shifts responsibility earlier in the lifecycle. It gives developers in-context, automated tools to build secure code from the start, reducing friction and speeding up remediation.
Developer-first security helps make DevSecOps effective by embedding security into development workflows. It aligns security with agile and DevOps practices, ensuring faster delivery, fewer late-stage vulnerabilities, and greater developer engagement in security efforts.
It addresses delays caused by late-stage security testing, the disconnect between developers and security teams, and the rise in vulnerabilities from third-party or open source code. By putting tools directly in developers' hands, it helps catch issues earlier and reduce friction.
Developer-first security tools often integrate with IDEs, CI/CD pipelines, and version control systems. They provide automated scanning, real-time feedback, and actionable insights, without interrupting a developer’s workflow. Common features include SAST, dependency scanning, and policy checks.
Learn more about DevSecOps
Start building faster today
Start building faster today
See what your team can do with the intelligent orchestration platform for DevSecOps.