The relationship between developers and security teams has typically been fraught with challenges. Each team is working to related, yet not always aligned, objectives. This can give rise to tensions and have a negative impact both on the organisational culture and the output of each team.
Whilst developers are focussed on delivering products and features and releasing these to customers as quickly as possible, security teams have the ‘safety-first’ role which can put barriers and delays in their way.
Building a more collaborative culture in which trust and co-operation between the teams is central is in everyone’s interest. It means that developers are focussed not only on meeting release dates, but also on building in security from the outset. It also means that security teams can play a more central role in ensuring the integrity of applications to avoid problems further down the production line.
And whilst the issue of trust might sound nebulous it can, ultimately, have a direct bearing on revenue. When the world runs on code, the delivery of safe, secure applications has never been more important; strategies that foster a close, productive relationship between the two teams, with open dialogue to strengthen bonds, should be prioritised and embedded within the culture of every software-first organisation.
The divide between AppSec and Developers
Amongst the factors that have contributed most recently to the disconnect between the two teams is the rapid pace of digital transformation across nearly every industry sector. Applications need to be rolled-out at an ever-greater speed to support these huge operational shifts. At the same time, technological advancements in IoT, AI, and 5G, have put further pressure on development teams to speed up software delivery, creating further tension between the objectives of each team: on the one hand the need for fast development and on the other, for robust application security.
Bridging the gap between these teams is challenging as, for developers, their primary focus is on delivering feature-rich, user-friendly products quickly, while security teams concentrate on ensuring safety and minimising risks. However, there’s a clear business imperative to align objectives and build a close working relationship between developers and security teams so that AppSec is ingrained as a strategic element of the development process.
The current state of affairs
To help us better understand some of the issues that might be holding teams back from a close, constructive working relationship, we conducted research with CISOs, AppSec managers and developers across a range of organisations.
Firstly, we there seems to be a lack of consensus on who should spearhead AppSec policies. According to our research, 56% of respondents view policy creation as their responsibility, 41% assign it to developers, and 38% assign it to AppSec teams. This uncertainty over who owns AppSec will inevitably lead to gaps in accountability and ownership which could prevent policies being implemented and increase an organisation’s exposure to threats.
AppSec is a specialist and constantly changing area of cybersecurity, which means that education and training are vital for developers. They need to be equipped not only with tools, but also the latest know-how in AppSec to ensure that security is at the heart of the development process. Here again, however, there were divided opinion on the ownership of training developers in AppSec best practices. Around half of the respondents from our research believe this should be the remit of AppSec teams, while the rest favour developers undertaking self-directed learning, such as through interactive courses. Given the complexity of cyber threats, effective protection of applications and the broader organisation hinges on equipping shared knowledge between developers and AppSec teams.
How to align Appsec and Developers
Establishing clear Key Performance Indicators (KPIs) is key to aligning the two teams. These KPIs, which could range from acceptable vulnerability counts in initial scans to timelines for mitigation, provide a tangible framework for tracking security progress. More importantly, they must be regularly reviewed to gauge improvement and ensure they align with the broader business objectives. Developers need to see the direct correlation between these security measures and the overall success of the organisation, fostering a deeper commitment to adhering to security protocols.
Another critical component is the provision of AppSec training tailored to developers. Training that is interactive and meshes well with their existing development environments can significantly boost their understanding and application of secure coding practices. This proactive learning approach not only enriches the developers’ skillset but also embeds a security mindset from the very beginning of the coding process.
Factors to consider for smooth operations
Addressing the issue of alert fatigue is crucial for security teams. The past decade’s proliferation of cybersecurity tools has bombarded developers and AppSec teams with excessive alerts, often hindering their efficiency.
Streamlining these alerts to focus on their relevance and accuracy is vital. Reducing false positives and zeroing in on the most critical vulnerabilities can significantly enhance the security process. Integrating AppSec testing directly into development environments can be transformative, making the process more efficient and developer-friendly and bolstering adherence to AppSec standards and practices.
Moving towards a united front
Around 60% of vulnerabilities are identified during the coding, building, or testing stages of software development which underlines the importance of processes that encompass each phase of the Software Development Life Cycle (SDLC) to pinpoint and address security vulnerabilities. This approach goes beyond ‘shifting left’ to address early vulnerabilities; it’s about integrating security measures throughout the development process, a strategy referred to as ‘shifting everywhere.’
Employing a cloud-based platform can significantly streamline this integration. Such platforms enable development teams to incorporate security scans directly into their Continuous Integration/Continuous Deployment (CI/CD) workflows. This method not only facilitates closer collaboration between development and security teams but also enhances the focus on comprehensive product security.
Processes that can help the way that security teams and developers collaborate are not just a security requirement but a fundamental aspect of successful business operations in software-driven organisations. By adopting strategies that integrate AppSec seamlessly into development workflows and fostering an environment of mutual understanding and shared responsibility, organisations can ensure the security, efficiency, and innovation of their digital products and the applications that run their businesses.
With over 25 years of experience, Alon has held leadership positions in IT, Security, Process Automation, and Infrastructure Management. His current focus is on strategic planning, Cloud Operations, FinOps, and technical Services, ensuring robust infrastructure for customers, employees, and partners.