Addressing the Elephant in the Room: Getting Developers & Security Teams to Work Together
Bridging the divide between developers and security can create a culture change organically.
February 10, 2023
Over the past few years, organizations have dramatically expanded their use of cloud environments by more than 25%. This expansion came as organizations shifted toward hybrid workforces, where employees needed to access business-critical applications from their kitchen, local coffee shop, or halfway across the world. There is no debate today that the majority of applications have moved to the cloud and cloud-native development will continue to gain popularity, with developers able to build and deploy new applications within minutes. In fact, Gartner estimates that by 2025, more than 95% of new cloud workloads will be deployed on cloud-native platforms, up from 30% in 2021.
However, if you ask any developer what the one aspect to application development/deployment that slows them down is, they'll give you one word: security. There has been a long-standing and well-known disconnect between application developers and security teams — a constant tug and pull where developers don't want their applications slowed down or user experience to be altered by security protocols.
Meanwhile, security teams are working to ensure these applications won't open their organizations to increased risk. According to Palo Alto Networks' 2022 What's Next In Cyber survey, 71% of chief information security officers (CISOs) agree that security slows down DevOps in their organizations. So, how do we satisfy both groups and have them work together to deliver secure applications?
By setting and pursuing shared goals, your organization's security and DevOps teams can reinforce each other's success rather than working in silos. Here are a few ways each team can better work together to deliver secure applications that do not impact user experience or time to deployment.
Define Your Shift-Left Security Strategy Together
Create a mutual understanding of what shifting left means to the organization. In its simplest form, it means embedding security at the forefront of application development rather than at the end. With this approach, organizations shift from reactive to proactive, where security vulnerabilities can be addressed early on, when they are less complex and costly. This mutual understanding can mean developing a document that outlines the vision, ownership/responsibility, milestones, and metrics. This way, both security and DevOps teams commit to one another that security is not an afterthought and both are aligned to create a more holistic approach to application security.
Understand Where and How Software Is Created in Your Organization
One of the biggest challenges of shifting security left is understanding how and where software is created within the organization. This is shaped by various variables, including the company's size and whether the work is outsourced to multiple vendors. For example, a large organization will likely spend more than a few months digging, and require additional time to review contracts. Key items to identify are people, process, and technology:
People = who is developing the code
Process = the flow from development laptops to production
Technology = systems used to enable the process
Developer-Friendly Security Tools
Providing and implementing developers with friendly tools from the beginning of development ensures that security teams are empowering DevOps teams with the right set of tools to take ownership for the security posture of their applications. Practical and unobtrusive security tools dramatically increase developers' willingness and ability to inject security into their pipelines. As security professionals, we must equip them with tools that do not hinder their processes but, rather, empower them to build with the confidence that their applications are secure.
Implementing these steps within your organization is the start of bridging the divide between developers and security teams. If done correctly and there is complete buy-in from both sides, a culture change will occur organically. Security teams will begin to trust developers to take ownership for security, while developers will continue to operate with speed and agility. By shifting left, both teams put themselves in a position to better protect the organization and strengthen the overall security posture.
About the Author
You May Also Like