There is a big conversation happening right now in the world of application security (AppSec), one that is focused on how security and DevOps professionals can come together in the name of better, safer software. Because, right now, these teams are often worlds apart. Although DevOps has revolutionized the speed of software development, the implications of this increased velocity can sometimes run counter to the goals of security, emphasizing the need for better risk management.
A starting point for the conversation lies in the ownership of AppSec responsibility. Today, DevOps and AppSec teams often don’t really know where (or with whom) the responsibility for application security sits. Specifically, do Dev and Engineering teams own responsibility for securing the applications they develop? Does a central corporate or product security team hold the ultimate accountability? Or does the answer lie elsewhere? Regardless, a lack of alignment and understanding on this—and a host of other related issues—can effectively increase application security risk.
What does the research say?
A recent report conducted by the Ponemon Institute and sponsored by ZeroNorth highlights some data points around this cultural gap, including the need for AppSec and DevOps to identify better strategies for unification. Yes, it’s critical for different teams—from security to DevOps to business leaders—to align their efforts, but they must first recognize the obstacles they’re facing. The results of the survey speak directly to the cultural divide between these organizational teams.
The bottom line is organizations put themselves at risk when security and development teams don’t share a common vision on how to deliver software to market quickly and securely. This inability to unite under a common goal is what Ponemon calls the “cultural divide,” and it’s creating the need for a new breed of superhero.
Who wears the cape?
Under this new world order, there must be a hero—otherwise known as a Security Champion—to take charge of helping developers build applications, securely. In short, Security Champions are professionals from a range of roles (engineering, product management, etc.), who care greatly about security and the need to advocate for AppSec best practices within development teams. At the end of the day, this role is what can help bridge the divide between Security and DevOps/Engineering.
As a company focused on uniting security, DevOps and business teams for the good of software, ZeroNorth recently surveyed 99 security and development professionals to find out how these Security Champion Programs are working and where success is being found. The results from this survey tell us a lot about the state of these programs and where they are headed in the future.