We recently held a live webinar with Michael’s Stores CISO Wei Dong on the topic of developer experience and, especially, how to turn developers into security champs.

Michael’s Stores develops all of their omni-channel applications in-house and these apps are very complex and serve a huge scale of users. This requires continuous security and compliance throughout all of the applications.

The Importance of Developer Experience

As Wei stated, a developer-focused approach to application security means devs must feel comfortable with the security platform – and that means meeting them where they ‘live’.

Integrating security platforms into IDEs , SCM platforms, and tools like Jira are just a few examples of how to empower developers to prioritize application security early in the software development lifecycle.

It’s also important to recognize that developers are not security experts. Providing training and remediation guidance capabilities within their IDEs is a powerful way to build their skills and raise awareness of security-critical issues, while also offering guidance and best practices for writing secure code.

The Trinity of Architects

Wei stated during the webinar the importance of serving all relevant parties from the beginning of every software project. Security architects and engineers must get a seat at the table from the get-go. He called them the ‘Trinity of Architects’:

1. Software architects – typically the person responsible for building the right software across the micro-services, APIs, key features, proper design patterns, and more.
2. DevOps/Cloud Architects: typically the person responsible for environmental consideration, determining the cloud provider, which native services will be relevant for the app, how the app is going to interact with critical components like databases, storage, scalability of the system and more.
3. AppSec/DevSecOps Architects: typically responsible for securing the application from all angles – including secrets management, APIs, services, preparation for various attack vectors, and more. They also define security rules and best practices across the entire software development lifecycle (SDLC).

To watch the entire webinar and learn more about Michael’s Stores application security strategy, click here, it’s well worth your time.