Over a brief period, Zoom has achieved incredible success, evolving from a startup to a well-known business brand. Its number of users has skyrocketed, with 86% of the Fortune 100 opting for Zoom to communicate virtually (2022).
As a prominent video conferencing platform, Zoom continually adds new features, integrations, and capabilities. Zoom's development and security teams strive to uphold high-level security while providing exceptional software to customers across the globe.
As the company and customer base expanded, there was a growing need for compliant and consistent secure coding practices. To meet the requirements of its customers, Zoom had to comply with various US and international standards, including ISO27001, SOC 2, ENS, and C5, among others.
“This [AppSec] doesn’t always come naturally to developers. It’s not that they don’t want to be more secure; they just don’t always know how,” said Robert Walker, who leads Secure Software Development at Zoom.
Shifting Left Company Culture at Zoom with AppSec Education and Secure Coding Best Practices
In 2020, Zoom initiated its application security training program growth by providing security awareness training to its development team. After deciding to look for a new developer training solution, Zoom evaluated three application security training providers and chose Security Journey as their long-term partner.
“Security Journey was collaborative with the team at Zoom to help understand our needs and how they could help us reach our goals,” said Robert Walker.
In addition to an investment in a robust AppSec Education Platform, Zoom successfully integrates security education into its company culture, which supports “shifting left” in its security development lifecycle.
Here are some practices that Zoom has implemented:
- Every developer must complete the Foundational Training Path before being permitted to ship code - Zoom company policy requires engineers working on production source code to take training in security. When engineers request access to production source code repositories, Zoom uses the Security Journey API to verify that they have taken the appropriate training before being granted access.
- Developers are required to take a yearly refresher designed to address trends in their codebase - Zoom annually identifies training focus areas, and the experts at Security Journey help create a customized yearly refresher path for all their developers.
- Ensuring training content applies to the developer’s projects - The team at Zoom created customized training paths for developers based on feature areas to deliver the right training to the right audience.
Zoom saw an immediate return on investment after implementing these secure coding best practices when developers proactively returned to previously completed code and addressed potential vulnerabilities based on what they learned in their training.
By implementing secure coding best practices and providing its developers with the necessary tools and knowledge to tackle potential vulnerabilities, Zoom can continue to provide exceptional software to its customers while maintaining high-level security standards.
As the platform continues to evolve, we can expect Zoom to remain at the forefront of AppSec training best practices and lead the way for other businesses to prioritize application security.