The team collaboration tool provider Slack is open sourcing a new tool designed to help developers secure features with high output and low friction. goSDL is a web application tool aimed at providing an entry point for a security development lifecycle (SDL) checklist.
“For development teams, process can often be antithetical to speed. Ease of deployment and security tend to have an inverse relationship, with some resentment for the security team occasionally mixed in,” Max Feldman, staff produce security engineer for Slack, wrote in a post. “We believe things don’t have to be like that.”
goSDL was developed with developers in mind. Instead of having developers rely on the security team, Slack wanted to make developers self-sufficient.
The tool works by collecting information about a feature, determining the risk rating, and generating the appropriate security requirements, the tool explained. The initial risk assessment estimates risk before getting the security team involved. After the assessment, there is a Component Survey designed to ensure developers are creating software tailored to their needs. For instance, it can include issues from the OWASP Top 10 or support for a new component. The tool also generates a checklist to prevent any issues and reduce the risk of human error.
“The tool tailors the checklist to the developers’ specific needs, without providing unnecessary unrelated security requirements. Security experts can establish custom security guidance and requirements as checklist items for all developers. This checklist is used as a guide and reference for building secure software. This encourages a security mindset among developers when working on a project and can be used to easily track the completion of security goals for that project,” according to the tool’s GitHub page.
In addition, the goals of the project are to provide a self service tool, enable developers to pick and choose specific components related to their projects, allow security teams to create a standardized risk assessment and checklist for the organization, and provide plugable and customized components.
“Developers are smart, and they care about the product. They want to contribute to security, but don’t always have the same security expertise as a more specialized engineer,” Feldman wrote. “By open-sourcing goSDL, we hope to enable other growing organizations to scale their security.”