Gainullina Ekaterina, Security Vision
Introduction
This year I was able to speak at PHDays Fest 2025 and today I want to share brief summaries from my report.
As incidents involving application vulnerabilities increase, companies are rethinking their processes and looking for tools that enable them to build truly secure products. But why is it that implementing secure development processes (SSDLC) is so often a formality, resulting in only a semblance of security?
From one-off audits to a real process
The traditional approach to security often boils down to one-off audits: every six months the product is tested for vulnerabilities, an impressive report is generated, and the process is considered complete. In practice, such a format rarely leads to increased security. The reason is that security is perceived as an event, and not as a constant property of the development process.
Organizations, introducing numerous regulations and checklists, hope to close the risks, but they encounter resistance from the team. Processes that interfere with work are bypassed or formally performed for the sake of appearances. True security is achieved when it is built into the daily development flow and is not perceived as external control. This requires a change of emphasis - from bureaucracy to the integration of security at all stages of the product life cycle.
Why Development and Security Speak Different Languages
At the root of many failures is a disconnect between three key parties: developers, businesses, and security. Each has its own optics. Developers are focused on speed and releasing new features, businesses are focused on profits and deadlines, and security is focused on minimizing risks and complying with policies.
Without a common context and dialogue, security processes are perceived as an obstacle: the business sees security as a drag, developers see security as bureaucrats, and security feels under-authorized. All of this fuels conflict, resulting in formal SSDLC failing to deliver real results.
SSDLC: Beautiful Theory, Harsh Practice
Most companies, in theory, declare the implementation of SSDLC: they prescribe security steps at all stages of development, include threat analysis, code reviews, and penetration tests. In practice, the process often starts too late - security is included only at the end of the project, when the main decisions have already been made and the product is almost ready.
As a result, teams are faced with a sudden influx of security requirements and bugs, often when deadlines are tight and all attention is focused on the release. Security reports become a "check mark", and the vulnerabilities found become unresolved problems that no one is in a hurry to fix. A formal approach leads to an illusion of control instead of a real result.
Checklists and policies are no guarantee of safety
Many organizations rely on checklists and detailed policies, believing them to be sufficient tools for ensuring security. However, even the most detailed regulations will not protect against errors if they are not integrated into the team’s actual work. Formal control creates a false sense of security: a developer can sign off on the readiness, go through all the points, but miss a critical vulnerability simply because he did not receive timely feedback at the time of writing the code.
Security is not a set of formal requirements, but a living part of the development culture. Checklists should not be just a bureaucratic procedure, but a useful hint that helps to avoid mistakes where it really matters.
PDF instead of dialogue: a waste of time and trust
One of the main problems is the lack of prompt two-way communication between security specialists and developers. Instead of a live dialogue, teams exchange heavy PDF reports that arrive very late. Developers, receiving such reports, are already thinking about other tasks and often do not understand the essence of the problems or are not ready to return to the old code. The result is delayed fixes, decreased motivation and deterioration in the quality of work.
Late = expensive
The later a vulnerability is detected, the higher the cost of fixing it. An error found before a release can stop a product launch, cause an emergency, and cause major financial losses. Teams are forced to urgently redo already tested functionality, postpone releases, and disrupt business plans. Trying to speed up work, companies often put security on the back burner, ultimately risking losing much more — both money and reputation.
Why processes don't take hold
When security is introduced as an external and inconvenient process, teams start looking for ways to bypass it. Anything that breaks the usual flow of work causes resistance: checks are performed formally or ignored, vulnerability search turns into another routine duty. The only way to make security effective is to integrate it into the team’s usual tools and processes, to make it part of the daily routine, and not an externally imposed duty.
Security is not a check, but an escort
The modern approach requires rethinking the role of security: from an external controller, it should become a mentor and partner who accompanies the team at every stage. Like the autosave function in a text editor, security should be invisible, but constantly support the workflow and protect against critical errors.
The Four Principles of SSDLC Without Barriers
There are four principles that are important to building a working secure development process:
1. Clarity: clear and transparent requirements, no “magic” or unclear instructions.
2. Context: Advice and feedback are given in relation to specific tasks and code.
3. Automation: Anything that can be automated should be automated to avoid overloading people with manual work.
4. Invisibility: Security processes are built into the usual work steps so as not to interfere with developers, but to support them unnoticed.
Integrating security where your team works
Security should be built into familiar tools - GitHub , Jira , IDE. For example, code analysis results should appear directly in pull request's, and security tickets are automatically sent to the task tracker. This approach allows the team to respond to problems in a timely manner and fix them during the process, rather than at the end of development.
Useful feedback - concrete actions
Feedback on security should be clear and actionable — not just "there is a bug", but what and how needs to be fixed. Ideally, such a recommendation automatically turns into a task in the project management system. This reduces the time of correction and reduces stress for the team.
When a team becomes a single thread
The main effect of built-in security is the disappearance of "walls" between developers, testers and security specialists . Instead of separate stages, a single flow appears: security issues are resolved where the task arises, and are not postponed until the final audit.
Dream Platform: Security at Every Stage
The ideal SSDLC is continuous support at all stages: from the idea and architecture, through code and CI/CD, to release and support. Security becomes part of the requirements, architectural decisions, code, automated tests, production settings, and even post- release monitoring. This approach does not require much effort for integration - the processes simply work in the background and help the team not stumble over old bugs.
Why it is necessary to implement it now
The world is accelerating, and you can't delay security. Some facts: after a new vulnerability is discovered, it takes attackers about 24 hours to develop an exploit. Imagine: news about a bug comes out, and the next day scripts are roaming the network looking for vulnerable systems. If your vulnerability fixing process takes a week, a month, a quarter, you simply won't have time.
The Russian regulator, FSTEC, generally says in its recommendations: critical vulnerabilities must be eliminated on the same day they are identified. In some industries, this is a strict requirement. And this is logical: when every hour counts, security must respond immediately.
This is where the now fashionable slogan "Shift security left" came from - shifting security to the left, that is, to the early stages. But I want to emphasize: “security to the left” is not just a trend, it is an inevitability. It is a response to the real situation: if you drag security to the end of the cycle, you are at a loss. Ideally, as we discussed, it should go hand in hand with development from the very beginning.
Real-life examples: the cost of mistakes
Stories of billions in losses due to security process errors are not uncommon. Examples from the industry (Ariane 5, CrowdStrike, etc.) show that the lack of a well-established process leads to disasters that could have been avoided by investing in a security culture in advance.
What does barrier-free SSDLC look like in practice?
During the development process, safe behavior must be formed at every stage:
-
Already at the idea stage, not only features but also threats are discussed.
-
Architectural decisions are made taking into account risks and trust boundaries.
-
When writing code, analyzers, linters, and safe practices are used.
-
The CI/CD pipeline automatically runs tests, scanners, and dependency checks.
-
Final settings and quality control before release.
-
After the release - regular monitoring, analysis of new vulnerabilities and prompt response to incidents.
It's all one process where safety is built in and perceived as part of the team's DNA, not an external requirement.
Results: Why does business need this?
The main benefits of the approach:
-
Bring new products to market faster and more safely.
-
Less conflicts and "surprises" before release.
-
Real risk reduction, transparency and control.
-
Saving resources and increasing trust within the team.
Getting Started: Five Easy Steps
1. Implement at least one automated check in CI/CD.
2. Provide security feedback directly in the pull request's.
3. Conduct joint architectural sessions with security and development teams.
4 Link detected threats and recommendations to tasks in a common tracker.
5. Measure the speed of response to vulnerabilities, not just their number.
Each of these steps does not require huge resources, but it starts the process of change.
SSDLC Formula: Clarity, Flow, Trust
Working secure development is a combination of three things: process clarity, a single workflow, and trust between all participants. If you can implement these, security ceases to be a barrier and becomes a support for the business, giving the team confidence and freedom to grow.
Secure development without barriers is a reality if you take it step by step, starting with simple changes and making security a natural part of your daily work.
 (2).jpg)