We talked to 25 IT security professionals and asked them how developers and security professionals can work together more effectively. Here are their suggestions:
- Developers have the attitude that “their shit doesn’t stink” – all of their code is secure. Check egos at the door for better collaboration with security. Talk about security and work together to solve the problem.
- We need a disclosure process. Security researchers can be threatening just trying to sell their services. Developers and security need to work together to patch bugs. The reporting process should change depending on whether something is a bug or a vulnerability. Think about who is making money and what their motivation is. Developers feel like they’re attacked by researchers. Researchers don’t realize what happens when they talk to the press and how it affects the company producing the app or solution.
- Responsibility lies with everyone. Security needs to look at problems from the developers’ and executives’ point-of-view. Stop spreading fear, uncertainty, and doubt. Improve collaboration throughout the SDLC. Provide training and guidance on an ongoing basis. Write up secure coding guidelines. Know what security team are looking for.
- Work with security. Discuss what the app is going to do. Know what data will be processed and what security steps need to be incorporated while building the app. Collaboration between developers and security or risk managers is essential to have a stronger security posture.
- There’s a disconnect between application developers and security. We need more knowledge sharing. Application developers need to take responsibility for what they are doing, with regards to security, from the beginning. Security flaws are a bug like any other bug. Security professionals need to properly educate application developers.
- I'm a proponent of hiring a developer to add to the team and encourage developers to learn how to help security. This will make the developer more valuable.
- Share best practices. Have more integrated information to share via APIs and other integrations. Automated blocking and sharing playbook. More collaboration will result in stronger, more secure code and networks.
- Provide a solution that can be used by both. Scan code for vulnerabilities and provide correction and virtual patches everyone can share to solve all the issues. The solution brings everyone together.
- Have bridge builders in the right place to understand how objectives fit into the company’s goals. Understand if security is a gating factor, there’s a good reason. More companies bring security into CI/CD tools to do preliminary security testing.
- Developers aren’t typically intentionally insecure in their approach -- they just aren’t necessarily aware of organizational requirements or best practices. Another advantage of the security by design approach is that developers don’t have to be security experts, and security experts don’t have to worry about what developers might be doing. This gives IT leaders confidence their application network can flex to meet the changing demands being placed on it, at a speed which will keep the organization at pace with market forces. Teams can use visibility as the point of a shared objective. Visibility is great for security, but it's also great for the business. The business wants to know what's going on, they want to know who's using it, they want to make data driven decisions. Security wants that same data for a different purpose, they want to know who's is using it to make sure that the data is safe and that only the right people have access to it. API-led connectivity provides a clear path to broad visibility.
- 1) I’m sure you’re very familiar with the conflicts that often arise between development teams and the security team. There could be many reasons for that, but the reality is that developers these days are primarily measured by how quickly they are able to release new functionality and how efficient their code is. Security, although trending upwards in importance, is still – unfortunately - not a primary concern. Therefore, any tool or processes, like security, that developers feel slows them down, and prevents them from doing their job properly is considered a problem. 2) Additionally, the lack of security awareness from the board to the development, QA, and operations teams is the main reason security isn’t prioritized for many IT teams. To shift from DevOps to DevSecOps, an organization-wide commitment should be made and enforced from the top down, with the adoption and promotion of the DevOps culture coming from management. This begins by getting executives on board and convincing them of the benefits of embracing security within their DevOps processes. This can be done by emphasizing the need to keep up with technology trends in the DevOps space and offering success stories including financial reports. Furthermore, security awareness on the development, QA, and operations teams should start on day-one with security onboarding procedures for new employees that cover secure coding tutorials and an overview of company security tools, policies, and procedures.
- It’s a slow process. Veracode audits source code. Realize that takes time and accept the fact that you didn’t write the firewall code. Add security by design.
Are there other ways you can suggest that developers and security professionals work together more effectively?
Following are the executives that shared their perspectives on this question:
- Kevin Fealey, Principal Consultant and Practice Lead Automation and Integration Services, Aspect Security
- Carolyn Crandall, CMO and Joseph Salazar, Technical Marketing Engineer, Attivo
- Amit Ashbel, Director of Product Marketing and Cyber Security Evangelist, Checkmarx
- Ash Wilson, Strategic Engineering Specialist, CloudPassage
- Paul Kraus, CEO, Eastwind Networks
- Anders Wallgren, CTO, Electric Cloud
- Alexander Polyakov, CTO, ERPScan
- Patrick Dennis, President and CEO, Guidance Software, Inc.
- Craig Lurey, CTO, Keeper Security
- Boaz Shunami, CEO, Komodo Consulting
- Eric Tranle, Global CMO, Darrin Bogue, Senior Solutions Engineer, LogTrust
- David Waugh, V.P. Sales, ManagedMethods
- Mat Keep, Director of Product Marketing and Analysis, MongoDB
- Aaron Landgraf, Senior Product Marketing Manager and Kevin Paige, Head of Security, MuleSoft
- Fred Wilmot, CEO, PacketSled
- Gary Millefsky, CEO, Snoopwall
- Wei Lien Dang, V.P. of Product, StackRox
- Cody Cornell, Co-founder and CEO, Swimlane
- Terry Dunlap, Founder and CEO, Tactical Network Solutions
- Chris Wysopal, Co-Founder and CTO, Veracode
- Yitzhak Vager, V.P. Cyber Product Management and Business Development, Verint
- Prabath Siriwardena, Director of Security Architecture, WSO2