When an application is finally ready for deployment, the last thing the development team wants to hear is: \u201cStop! There\u2019s a security issue.\u201d And then, after months of painstaking work, their application launch is delayed even further.\n\nThat\u2019s why Discover\u00ae Financial Service\u2019s product security and application development teams worked together to shift security left by integrating security by design and conducting early security testing often to identify vulnerabilities prior to hitting deployment.\n\n\u201cIf you want to make a change, make it in the early stages of the software development lifecycle,\u201d said Pratiksha Panesar, director of cybersecurity at Discover Financial Services. \u201cOnce you get to the right side of the software development life cycle, making changes becomes expensive and you must go back to the drawing board. So, how can we instill the security mindset, tooling, and process more to the left to minimize disruption?\u201d\n\nHere\u2019s a look at how Discover uses technology to catch vulnerabilities early and evangelize security throughout the organization.\n\nScanning for vulnerabilities at each stage\n\nMost Discover development teams use a single system to build, test, and launch their applications and products: it\u2019s a CI\/CD pipeline we internally call the Trident Pipeline. This pipeline helps move products to market faster and create a standardized process for application deployment.\n\nSo, how does the Discover security team keep an eye on vulnerability risks at every stage of development? By integrating their solutions into the Trident Pipeline.\n\n\u201cWe leverage our internal processes and capabilities to integrate security right at the design stage with threat modeling, continuing with scanning tools from the integrated development environment (IDE) stage to deployment,\u201d Panesar said. \u201cThe tools not only flag vulnerabilities but also provide just-in-time remediation guidance to the application teams. We are continuing to build new capabilities to provide business context and the risk related to the vulnerabilities.\u201d\n\nAppointing security advocates within development teams\n\nDiscover also runs the Security Champions program to identify security advocates within each application team. These advocates can help identify risks and misconfigurations in the code and receive training on how to address them.\n\n\u201cSecurity Champions are, essentially, an extension of the security team, helping to scale application security to the developers who build the products and applications,\u201d Panesar said. \u201cIf we see they\u2019re running into security vulnerabilities early, we\u2019ll say, \u2019How can we coach you so you can coach your own application team?\u2019\u201d\n\nInspiring action with shared knowledge\n\nThe security team also empowers developers to address security issues by providing them with tutorials and frameworks for doing so.\n\n\u201cWe have implemented several capabilities from bots to advisory support for the application teams to understand the risk and manage it at the optimum level. We realize there are multiple ways to address a specific vulnerability. We want developers to be productive and not spend time trying to figure out the remediation path that has been solved for otherwise," said Panesar.\n\nThat\u2019s why the security team created a Golden Paths document for heeding these warnings. Golden Paths is comprised of guides, tutorials, best practices, and shared knowledge from across Discover to help developers complete specific tasks \u2014 so they can get back to coding.\n\n\u201cSome teams know they have to shift left with security, but they don\u2019t know how to do it in a meaningful way,\u201d Panesar said. \u201cThat\u2019s where our Golden Process documents can help. They say, \u2018Don\u2019t wait until the last moment. There are a number of ways you can be aware of vulnerabilities, fix them, get the disposition ahead of time.\u2019\u201d\n\nConclusion\n\nThe Cybersecurity and Infrastructure Security Agency recently published guidance for building cybersecurity into the design for products. At Discover, we started the effort two years ago by publishing security on functional requirements and integrating that into the design phase of the product delivery framework and furthered that approach with incorporating threat modeling, secure design reviews, and secure development framework. This is an ongoing journey, but we are laser focused on improving the reliability of our products while improving developer productivity.\n\n\u201cI\u2019m incredibly proud of how technologists at Discover have collaborated to shift left on security. The way our team has scaled security into the SDLC enables Discover to increase product velocity and achieve its mission of becoming a top digital financial services firm,\u201d said Shaun Khalfan, Chief Information Security Officer at Discover.\n\nLearn more about how Discover is innovating to shape the future of financial security by visiting our Discover Technology website.