Cross-functional teams and security
Zimmerman's first recommendation is the formation of cross-functional team security efforts. Training quality assurance and development teams in security responsibilities can ensure that everyone plays a role in maintaining security. This strategy, which Zimmerman categorizes under 'organizational alignment', ensures that everyone has a seat at the table and that security becomes everyone's responsibility.
Frequent testing of business-critical apps
Zimmerman's second recommendation is more frequent testing of business-critical applications. He suggests that pipeline integration might be an effective mechanism to achieve this. However, he warns that improper or incomplete planning can lead to misaligned strategies, which can halt the development pipeline and break workflows.
Shifting left or shifting everywhere
The third recommendation Zimmerman makes is the adoption of a 'shift-left' approach, or more recently, ‘'shift everywhere'. This security ideology focuses on finding and fixing defects earlier in the development process, which can help developers be more efficient with testing, remediation and shipping code.
Fostering a security culture
Zimmerman stresses the importance of fostering a security culture within an organization. This includes both risk awareness and security expertise. He suggests investing in developer security training to build security capabilities within the development team. Not only does this help accelerate remediation, but it also helps to avoid the discovery of security vulnerabilities further down the development pipeline.