In many small development teams, security review responsibilities often slip into a grey area. It seems that when teams are focused on delivering features quickly, ownership of security checks tends to get lost. A recent critical vulnerability was discovered in a project we were shipping, which had been overlooked for weeks, not due to its complexity but because nobody was actively looking for it. The solution took mere minutes, but establishing consistent security checks is proving to be more challenging. I'm curious to hear how other small teams organize their security review processes. Do you assign a specific owner, or is it more of an informal approach?
3 Answers
In my experience with small teams, assigning one engineer to take charge of security sign-offs for each release has worked wonders. When there's a clear owner, it's much harder for vulnerabilities to sneak through, even when automated checks are in place.
Explicit ownership is key! For us, assigning a dedicated 'security owner' for each service along with lightweight CI checks has been effective. It’s not overly complex, but it definitely ensures that someone is on it.
That makes sense! Assigning security at the service level strikes a good balance. I've noticed many teams skip CI checks early on thinking it's not necessary, but then it becomes a nightmare to implement later on. What kind of lightweight checks do you include?
I believe everyone on the team should be equipped to write secure code. We don't have a dedicated security team member who oversees accessibility or code style either; we all have to keep our peers in check while coding. Of course, juniors need a bit more guidance, and we make sure to review their code carefully.
That approach seems effective, especially in smaller teams where everyone stays on the same page. However, I think challenges arise as the codebase grows. Reviewers sometimes focus too narrowly on recent changes and overlook long-standing risks that everyone knows about, like the Docker socket issue. Those inherited assumptions can easily escape critique.
I really like the idea of having a per-release sign-off! It creates accountability without needing someone solely dedicated to security. Just one person needs to give the go-ahead before anything ships. But how do you handle it when that person moves on or when the team grows?