Address the Communication Gap Between Dev and Security Teams
As many organizations probably already know, development and security teams have a communication problem. Often they are communicating poorly, or not at all. This presents a big problem for any organization looking to succeed with DevSecOps and deliver secure applications.
If security and development teams are working independently of one another — or even worse, at odds with one another — that could lead to significant problems with regard to product security.
A report by research firm Ponemon Institute in 2020 noted that organizations are at risk when application security and development don’t have a common vision for delivering the software capabilities the organization needs in a secure manner.
There must be a fundamental agreement that security is integrated throughout the application development process. As businesses push developers to build and deliver code on a continual basis and at a rapid rate, the perception of security as a hindrance emerges, the report noted.
As part of the research, Ponemon Institute surveyed 581 security practitioners who are involved in and knowledgeable about their organization’s application security activities, and 549 who are involved in and knowledgeable about their organization’s software application development process. Seventy-seven percent of developer respondents said the cultural divide affects their ability to meet deadlines, while 70% of the security respondents said the divide is putting the security of applications at risk.
A large majority of the security respondents said that the state of security is undermined by developers, who don’t care about the need to secure applications early in the software development lifecycle.
It’s clear that the two factions do not always have the same goals for success. Developers are looking to create innovative software products quickly, leveraging automation to speed up processes as much as possible. The security of the finished products is not typically uppermost in their minds.
The security team, on the other hand, wants to ensure that code is secure and as devoid of vulnerabilities as possible. This can help ensure that the final software offering is safe to use, but this can also slow the pace of development.
These and other differences can create lots of friction, which in turn can lead to turf battles, lack of cohesiveness and even lower-quality products. Given this scenario, organizations need to make sure that the teams take steps to break down any barriers that exist and learn to understand each other better.
Find Common Ground
One good practice is to find common ground between the two areas. Discovering and fixing vulnerabilities — or preventing them in the first place — should be the shared responsibility of both the security and development teams.
After all, good quality software should arrive in production or on the market with as few vulnerabilities as possible. It’s in the best interest of both teams to see that it does. Once they fully realize this commonality, they need to collaborate to determine the best ways to address vulnerabilities.
Just getting together to resolve security/development issues, in fact, can help bolster relationships. If members of the two teams meet on a regular basis, they might tend to develop greater empathy for each other and learn to be more flexible. They might come to realize that they’re working toward a common goal and seek ways to cooperate more.
Deploying DevSecOps and leveraging DevSecOps automation can play a major role in fostering teamwork among developers and security professionals. The idea of bringing products to market not only quickly, but securely as well, should appeal to both groups.
Leadership Must Step Up
Another key to success is having senior-level executive support for initiatives that bring security and development teams together. CISOs would be a natural choice to lead the efforts, given their overall responsibilities for ensuring all aspects of cybersecurity and their involvement in DevSecOps. But CIOs, COOs or other senior executives, could also lend support to such efforts.
As the Ponemon Institute noted, senior leadership must create an environment that encourages teamwork, collaboration and accountability. Most organizations are not actively taking steps to encourage security and development to work more effectively as a team, it said. Only 36% of security respondents and 45% of developer respondents think their organizations’ senior leadership is aware of this problem.
That has to change, and leaders need to grasp the importance of having security and development teams work as a cohesive, harmonious unit. With so many organizations advancing their digital transformation efforts and introducing new online services, it’s more important than ever that these two factions not only get along, but excel through effective collaboration.