DevSec For Scale Podcast – Development Velocity With Security w/ Harshit Chitalia, Tromzo

In this episode of the “DevSec for Scale” podcast, host Jeremy Hess welcomes Harshit Chitalia, CTO and co-founder of Tromzo, a startup focused on integrating security into the daily practices of developers. Harshit discusses the importance of embedding security throughout the development process to ensure both speed and safety in product releases. He emphasizes that waiting until the release stage to address security is too late, as it leaves products vulnerable and can result in customer pushback.

Harshit shares insights from his experience and the practices of leading companies like Google, Airbnb, and Netflix. He highlights how security has evolved from traditional firewall measures to today’s software-centric approaches, where everything from infrastructure to networks is managed through code. This shift requires a new strategy for integrating security, as developers now write only a fraction of the code, relying heavily on external dependencies that can introduce vulnerabilities.

To maintain both feature velocity and security, Harshit suggests a three-pronged approach involving technology, people, and process. On the technology front, tools like GitHub’s Dependabot for dependency scanning and secret scanning can be integrated into the development workflow to catch vulnerabilities early. He advocates for shifting security checks left, embedding them into the development process itself rather than waiting until production.

Harshit also emphasizes the importance of creating a security-conscious culture within development teams. This includes training developers on secure coding practices and gamifying security efforts to motivate engineers. By fostering a sense of responsibility for security across the team, organizations can ensure that vulnerabilities are addressed promptly and effectively.

Lastly, Harshit touches on the need for well-defined processes to handle security incidents. He points out that many engineering teams lack clear protocols for responding to vulnerabilities, leading to chaotic responses when issues arise. By establishing and adhering to comprehensive security policies, companies can manage risk more effectively and maintain the integrity of their systems.

Overall, Harshit stresses that integrating security into the development lifecycle is essential for modern software development. By leveraging the right tools, fostering a security-first culture, and implementing robust processes, organizations can achieve both rapid development and strong security.