In the high-stakes world of software development, the cost of neglecting security early in the lifecycle can be staggering. A case in point is the 2022 Optus data breach, in which threat actors exploited a vulnerable API and stole more than 9 million personal records, leading to around $140 million data breach-related costs, including replacing hacked identity documents, complimentary credit monitoring and independent audit reports. The incident, among many others, was a stark reminder of the severe consequences of overlooking secure coding practices.
Retrofitting security into live systems not only leads to skyrocketing costs but also exposes organizations to prolonged risks and eroded customer trust. It’s against this backdrop that we championed a Secure by Design (SbD) approach in a global financial services organization, blending technical rigor with leadership to ensure security was seamlessly integrated into every phase of development. In the following section I will share some practical strategies we deployed with great success, and the ensuing lessons learned.
Dealing with a Sprawling Technology Ecosystem
Our organization was a global financial services company grappling with complex regulatory landscapes and high-stakes cybersecurity demands. The challenge was amplified by a sprawling technology ecosystem: hundreds of developers spread across continents, siloed processes and inconsistent security practices. Developers often viewed security as a roadblock rather than an enabler and vulnerabilities were being discovered late in the development process. This inevitably led to risky software in production, higher remediation costs, delays and regulatory fines.
The stakes were high, not just financially, but reputationally. In an industry where trust is the cornerstone of business, we knew that business as usual was no longer an option. But before we delve into how we solved this complex problem, it’s important to shed further light into the problem.
Security as an Afterthought
Inconsistent and reactive approaches to security presented several pain points:
- Security as a Late Addition
Security was often addressed at the end of the development cycle, leading to expensive retrofitting and inefficiencies, as well as pushback from project teams whose success was solely measured on project schedules and costs. - Lack of Repeatable Patterns
Developers lacked access to repeatable, secure coding patterns, which led to duplicated efforts and inconsistent outcomes. The lack of a clear set of non-negotiable controls also further complicated assurance work. - Limited Security Testing
Security testing was sporadic and heavily reliant on manual processes, increasing the risk of pushing exploitable vulnerabilities into live environments. - False Positive Overload
Development teams were inundated with irrelevant security alerts, undermining confidence in the system and sucking time that otherwise would have been spent on value adding and risk mitigating activities. - Siloed Teams and Processes
Security was perceived as the cybersecurity team’s responsibility, creating friction and resistance from developers.
Without addressing these issues, the organization risked not only increased costs but also significant operational disruptions, compliance violations and reputational damage.
The Hidden Costs of Ignoring (SbD)
When security is treated as an afterthought, the consequences can be severe, including:
- Escalating Costs: Retrofitting security into production systems can be 30 times more expensive than addressing vulnerabilities during development.
- Increased Risks: Late-stage vulnerabilities often remain in production environments longer, leaving systems exposed to breaches.
- Eroded Productivity: Developers face unnecessary rework and firefighting due to avoidable issues, reducing overall productivity and team morale.
- Reputational Damage: High-profile breaches erode customer trust and invite scrutiny from regulators, leading to hefty fines and legal challenges.
The Optus breach cited above serves as a stark warning of these consequences. By not prioritizing secure coding practices, organizations leave themselves vulnerable to cascading failures.
Secure By Design in Action
Our solution was built on the principle of meeting teams where they are, aligning with existing workflows and tailoring security practices to fit seamlessly into the development lifecycle. Here are the five core measures we implemented:
- Collaborative Development of Security Checkpoints
By proactively partnering with development and engineering teams, we integrated security checkpoints into existing workflows. For example, code reviews included automated checks for vulnerabilities using tools like SonarQube and Checkmarx, reducing the burden on developers through repeatable and continuous security assurance. - Gamified Secure Coding Training
We introduced gamified training platforms like Security Journey, enabling developers to learn secure coding through interactive, real-world scenarios. By eliminating boredom, we made security training engaging, sticky and relevant to their day-to-day work. Over time, developers started treating security as part of their DNA, not a compliance matter superimposed on them. - Automated Security Testing
Leveraging tools like Netsparker and Burp Suite, we automated application security testing, enabling continuous vulnerability scanning without slowing down development pipelines. Automation also significantly cut down human error, improving security posture across new applications. - Streamlined False Positive Management
We refined our false-positive assessment process, dramatically reducing irrelevant alerts. This was achieved by customizing rules in our security tools to align with the organization’s specific risk thresholds. - Security Risk Management Framework
We introduced a formalized framework to evaluate, prioritize and mitigate security risks. Teams were trained to handle exception processes effectively, ensuring risks were addressed without compromising agility.
The Leadership Approach: Driving Cultural Change
Still, we could not establish a sustainable security culture without sending the right signals from the top. Leadership played a pivotal role in ensuring the success of SbD. By involving stakeholders at every level, from cybersecurity ambassadors to technical leads, we built a shared security vision. Our Cybersecurity Ambassadors Program became a platform for championing secure practices, scaling security impact, fostering collaboration and providing actionable feedback to refine processes.
The six-month pilot program with a highly technical development team proved invaluable. It demonstrated that SbD could be integrated seamlessly without disrupting productivity and provided a template for scaling the initiative enterprise-wide.
The Results: A More Secure and Agile Organization
The Secure by Design initiative delivered measurable outcomes:
- 60% Reduction in False Positives: Streamlined processes allowed developers to focus on genuine security concerns.
- 30% Faster Time-to-Production: Automated security testing minimized delays in the development pipeline, securing buy-in from project management.
- Improved Developer Engagement: Gamified training increased developer participation in security initiatives by 70%.
- Enhanced Compliance: We established demonstrable and mature security practices, helping the organization meet regulatory requirements, avoid penalties and lower the cost of compliance.
Looking Ahead
The Secure by Design framework is not just a technical approach; it’s a cultural shift that prioritizes security as a shared responsibility. By focusing on people, refining processes, and leveraging technology, organizations can embed security into their DNA, delivering secure, resilient systems without compromising innovation or agility. Over time, this proven approach optimizes security investments, secures business engagement and eliminates waste.
Author’s note: Application Security Engineer Richard Lazaro played an instrumental role in the technical implementation of the concepts discussed in this blog post.
