researchHQ’s Key Takeaways:
- To overcome the divide between application security and development teams, organisations can take simple steps to create a productive relationship built on mutual empathy and accountability.
- Avoiding siloing and working together fosters more realistic and cohesive goals, processes and metrics.
- Leveraging automation in combination with manual pen-testing demands a shift in mindset that promotes collaboration between developers and security teams.
It’s simple in theory. Finding, fixing, and even preventing, vulnerabilities is a shared responsibility between security and development teams. That being said, silos still exist between DevOps and application security teams. DevSecOps – symbolically putting security at the center – is a great theory but is only effective if these groups work together to develop the people, process, and technology needed to be effective.
In fact, a recent Ponemon Institute Research report shows that 71 percent of AppSec professionals believe security is undermined by developers who don’t include proper security functionality early in the software development life cycle (SDLC). That statistic, to me, shows that there is a substantial divide between development and security teams, a divide that can (and should) be overcome. It’s not surprising, though, that these divides exist considering how teams are spread thinner everyday while aiming to increase release velocity. If we are going to solve these problems, we need to focus on creating human connections across teams, and a DevSecOps mentality will become not just policy, but also culture.
Come together by understanding motivations
In my experience, developers and security personnel don’t think that differently. They just have different incentives. Developers work to move through the SDLC quickly to get applications launched. Security teams, on the other hand, are incentivized to make the SDLC process as secure as possible, which is oftentimes viewed as slowing down progress by adding non-functional security requirements. If this is the viewpoint, it is no wonder that the groups may be at odds. Human relationships – even in the work environment – need to find common ground.
One of the best books I’ve read is Hit Refresh, the New York Times bestseller about the transformation happening inside Microsoft, from its CEO Satya Nadella. As Satya describes, “It’s about how people, organizations, and societies can, and must, transform and “hit refresh” in their persistent quest for new energy, new ideas, and continued relevance and renewal.” He is able to achieve this “refresh” he describes by being “out in the world, meeting people where they live and seeing how the technology we create affects their daily activities.” I believe in this philosophy and it has direct parallels to how we work in security.
Empathy for our colleagues and the relationships we develop with them is critical to achieving success within organizations because we can understand how the policies and procedures we develop impact their work and why the outcomes we expect often don’t materialize. Some may view empathy as letting people off the hook for not performing a specific task. But it’s important to connect empathy with accountability. By understanding the needs and incentives of our peers, we develop policies and procedures that are fair and transparent. Holding each other accountable is not only fair, but expected – as a result, security and development teams will uncover creative ways to collaborate to ultimately achieve overlapping goals, faster and with less friction.