Bridging the Gap: How Developers and Security Professionals Can Collaborate for Better Cybersecurity

In the ever-evolving world of cybersecurity, the relationship between developers and security professionals is crucial. At Black Hat 2024, industry experts shared their insights on how these two groups can work together more effectively to create more secure systems. This article explores key areas where developers and security professionals can improve their collaboration and practices.

Shifting Left: Security from the Start

Several experts emphasized the importance of integrating security earlier in the development process. Idan Plotnik, co-founder and CEO of Apiiro, suggests that "developers and security professionals need to focus on integrating AI security into their application security processes." This approach ensures that security is not an afterthought but an integral part of the development lifecycle.

Phil Calvin, Chief Product Officer of Delinea, echoes this sentiment, stating, "There's the known concept of 'shifting left' - moving security closer to the application development phase versus as an afterthought, which many organizations have adopted as a best practice."

Embracing AI and Automation

As AI becomes more prevalent in both development and security, professionals in both fields need to adapt. Katie Paxton-Fear, API Researcher at Traceable AI, notes, "We've seen AI and AI security move into focus very quickly, which is great news because we are finally developing security with the technology as it grows and matures."

Orion Cassetto, head of marketing at Radiant Security, goes a step further, advocating for "embracing the power of AI-based automation and intelligence for all manual tasks in the SOC."

Focusing on Data Stewardship

With the increasing importance of data in modern applications, both developers and security professionals need to prioritize data management. Amer Deeba, CEO and co-founder of Normalyze, suggests a "heightened focus on data stewardship. Developers and security professionals need to pivot their focus towards a deep understanding of the data they create and manage."

Adopting a Human-Centric Approach

While technology is crucial, several experts emphasized the need for a more human-centric approach to security. Rajan Koo, CTO of DTEX, advises, "Developers and security professionals need to start looking at cyberattacks with a human-centric lens." This approach involves understanding the intent behind behaviors, not just the technical signals.

Prioritizing User Experience

Security should not come at the cost of usability. The team at SquareX emphasizes that "security should never come in the way of user productivity. This should be the principle of any design." They suggest that cyber professionals should prioritize user experience alongside security principles.

Continuous Learning and Adaptation

Given the rapid pace of change in technology and threats, continuous learning is crucial. Antonio Sanchez, Principal Evangelist at Fortra, recommends "taking the time to mentor and train the next generation" in areas like vulnerability management, configuration management, and security awareness.

Improving Communication and Collaboration

Several experts highlighted the need for better communication between developers and security teams. Phil Calvin of Delinea stresses the importance of "greater transparency with security professionals, communicating the concerns and risks to developers." This open line of communication can lead to more secure and efficient development processes.

Resilience-Focused Development

Shariq Aqil, Global Field CTO at Zerto, emphasizes the need for a shift in focus: 

"Developers and security professionals should focus on resilience, not just recovery. They need to ensure that their solutions are designed to recover from cyberattacks from every angle and bring the environment back online quickly."

This approach goes beyond traditional backup methods, encouraging teams to build systems that can withstand and rapidly bounce back from cyber incidents.

Addressing Hardware and Firmware Risks

Alex Holland, Principal Threat Researcher in the HP Security Lab, highlights an often-overlooked area: 

"Security professionals can reduce hardware and firmware risks in their environments by taking the following steps. First, adopt Platform Certificate technology that enables the integrity of device hardware and firmware to be verified upon delivery."

This advice reminds us that security considerations must extend beyond software to the hardware level.

Implementing Zero Trust and Least Privilege

Bruce Esposito, Senior Manager of IGA Strategy and Product Marketing at One Identity, advocates for a more stringent approach to access: "Just as organizations today have a 'trust but verify' view of their people, they must do the same with AI." This perspective encourages developers and security professionals to implement zero-trust architectures and least-privilege access models, even when dealing with AI systems.

Enhancing Supply Chain Security

Javed Hasan, CEO and co-founder of Lineaje, stresses the importance of understanding the entire software ecosystem: "Any software that your company builds has a direct runtime dependency on the software that is bought." He encourages developers and security professionals to gain deeper visibility into their software supply chains and associated risks.

Leveraging Advanced Threat Intelligence

Steve Stone, Head of Rubrik Zero Labs, suggests a more proactive approach to threat detection:

"Security leaders must realize that they will never be able to fully quantify risk — or completely eliminate it. Instead, what they can do is get a handle on the most impactful levers, work to address predictable outcomes, and take distinct actions to change the risk calculus in their favor."

This involves leveraging advanced threat intelligence and focusing on high-impact areas of risk.

Embracing Secure-By-Design Principles

Kiran Chinnagangannagari, CTO, CPO, and co-founder of Securin, emphasizes the importance of secure-by-design principles: "Security teams need to roll up their sleeves and learn to code, while developers must embrace the 'secure by design' philosophy from the outset." This approach ensures that security is baked into the development process from the beginning, rather than being added as an afterthought.

Improving Data Visibility and Control

Jackie McGuire, Senior Security Strategist at Cribl, encourages a more holistic view of data: 

"If teams focused more on building a strong data foundation, they would be better equipped to handle security challenges as they arise."

This involves improving data visibility across the entire infrastructure and implementing robust data control measures.

Conclusion

As the cybersecurity landscape continues to evolve, the relationship between developers and security professionals must adapt to meet new challenges. The insights from these industry experts underscore the multifaceted nature of modern cybersecurity and provide a comprehensive roadmap for better collaboration and more robust practices.

By shifting security left, embracing AI and automation, focusing on data stewardship, and adopting human-centric approaches, teams can lay a strong foundation for security. Furthermore, implementing zero trust models, enhancing supply chain security, and addressing hardware risks expand the scope of protection. Prioritizing user experience ensures that security measures don't impede productivity while committing to continuous learning keeps teams ahead of emerging threats.

The key takeaway is clear: effective cybersecurity is not just about adopting new technologies or following best practices. It's about fostering a culture of security that permeates every aspect of the development and operations process. By embracing these diverse approaches and improving communication, developers and security professionals can work together more effectively to create more secure, resilient, and effective systems in the face of evolving cyber threats.

Ultimately, by continuously learning, adapting, and collaborating, these two groups can stay ahead of threats and build truly robust systems that withstand the test of time and the ever-changing threat landscape.