Are your security and development teams at odds? If so, it's not uncommon - balancing competing priorities can be challenging for organizations, and failure to do so can result in reputational damage, financial losses, and legal liability.
It's time to bridge the divide between security and development teams to create a more productive software development lifecycle.
In this article, we'll share key actions that security AND development teams can take to help bridge the divide and create safer applications
The AppSec Dilemma
We are currently in an application security dilemma that stems from growing security concerns, pressure on development teams, and a lack of structured security training.
- Development teams want to release faster.
- Security teams want to reduce vulnerabilities.
This dilemma is affecting organizations and is why application security has not improved over the last decade.
Bridging The Gap Between Security and Development Teams
Security and development teams don't need to work against each other – especially when they ultimately have the same end goal – safe and effective applications.
By opening up communication and understanding between the two teams, you can shift left your development lifecycle and create more successful, safe applications. In addition, "Shift Left" can make your organization more efficient by considering application security and testing for vulnerabilities earlier in the development cycle.
To bridge the gap between security and development teams, you can consider the three C's:
- Communicate – Bring both teams on the same page with unified learning paths so all members of the SDLC can understand basic security concepts.
- Collaborate - Work across teams to understand each other's goals and challenges.
- Create Safe Apps - Building a strong culture of security takes time and continuous communication and collaboration.
Free Resource: Bridging The Divide Reference Card
But it takes both teams to work together to help bridge the divide. So let's look at some actionable ideas on how security and development can work together.
How Security Teams Can Compromise
Security teams want to reduce vulnerabilities, but you can't accomplish this goal without the development team.
We've identified four ways that security teams can bridge the divide with the development team:
- Prioritize Speed
- Validate Security Alerts
- Understand The Business Requirements
- Provide Actionable Feedback
Let's take a look at how security teams can work to bridge the divide.
Your security team should keep in mind the development team's priority is speed and functionality. Therefore, security leaders should promote the need to collaborate with the development team to ensure that security does not slow down the development process.
This can involve:
- Automating as many security tasks as possible into the developer's workflow
- Ensuring that security scanning tools are fine-tuned to the current software and security goals
- Avoid the need to break a build if a vulnerability is discovered
Validate Security Alerts
Validating security alerts can be cumbersome to the developer team's workflow. This can become frustrating when scanning tool results are false positives and waste developer time.
Security teams should support the development team by validating discovered vulnerabilities and creating detailed explanations with recommendations for mitigations for the developers to implement.
This proactive approach will improve both parties' experience by increasing team communication and encouraging collaboration to solve the problem.
Understand The Business Requirements
While application security is critical for a successful product, security teams should work to understand the business requirements and the end-users needs.
By opening up communication and sharing a baseline understanding of business requirements, security teams can better instill security measures that do not compromise the end-user experience. Work with your development leaders to prioritize the correct security measures and be willing to compromise and accept some risk where it makes sense for the business's priorities.
Provide Actionable Feedback
A meaningful way to open communication between teams is for the security team to provide actionable feedback to the development team. Frame your feedback to be detailed with actionable guidance and recommendations on how to prevent similar vulnerabilities in the future.
Some examples of this include:
- Clearly identify potential vulnerabilities and provide guidance on remediation
- Work with the development team to prioritize the most critical issues.
How Development Teams Can Compromise
Development teams want to release apps faster, but you can't release insecure apps to your end users. So you need the security team to help create secure applications.
We've identified four ways that development teams can bridge the divide with the security team:
- Address Security Concerns Early in the Development Process
- Follow Secure Coding Practices
- Conduct Code Reviews and Testing
- Embrace the Security Champions
Let's take a look at how development teams can work to bridge the divide.
Address Security Concerns Early in the Development Process
The development team should address security concerns early in the development process rather than waiting until the testing or deployment phase. Work with the security team to identify and address potential vulnerabilities before they become critical issues.
Some ways you can do this include:
- Include security team members to give input on non-security requirements
- Create threat models for new features and applications
- Invite security team members to participate in the threat modeling process
Having the security team support the threat modeling process will ensure a more secure application and build a culture of collaboration.
Suppose the security team is not large enough to support every development team. In that case, having a security champion program ensures that someone in the room represents the security team's goals during design and development.
Follow Secure Coding Practices
The development team can prioritize security within their code by following secure coding practices. By ensuring that the development is writing code less prone to vulnerabilities and less likely to be exploited by attackers, you can help your security team focus on their high-priority projects.
Helping the development team be thoroughly trained on proper secure coding techniques in their language/technology will go a long way to support the security team's initiatives in preventing vulnerabilities before a single line of code is written.
Learn More: What Is Secure Coding Training?
Conduct Code Reviews and Testing
The development team should conduct regular code reviews and testing to identify potential vulnerabilities in the code, then work with the security team to prioritize and remediate any identified issues.
Since developers already do this in their standard workflow when writing software, the compromise is to include a requirement to check for security-related issues when reviewing code.
Adding this to the developer's workflow is as simple as having a list of the most common threats discovered in your organization and having that be a consideration during a code review that must be evaluated before approving code changes.
Embrace the Security Champions
Having at least one person from each development team volunteer to be a security champion will go a long way to breaking down the walls of communication between development and security.
This person works as a liaison between both teams and will have an in-depth understanding of their priorities. This is the most effective way for the development team to ensure they support the security team's priorities.
Listen Now: The Security Champions Podcast
See How Security Journey Can Help You Bridge The Divide
Security Journey bridges the gap for faster, more secure development by taking a targeted, vulnerability-driven approach to application security education. With our AppSec Education Platform, you provide your organization with an entire suite of application security training solutions.