Security Journey Blog

Habits To Help Bridge The Developer vs. Security Gap

Written by Security Journey/HackEDU Team | May 18, 2023 1:00:00 PM

It’s not uncommon for teams across an organization to be at odds with one another.

Developers and software engineers are under pressure to write 100x the code they were 10 years ago; they want to release code fast and quickly bring new applications and services to market first in the race to innovate. Security teams, on the other hand, want to reduce vulnerabilities and protect their organization from the ever-evolving, expanding threat landscape.  

If the industry is to tackle this ‘AppSec Dilemma’ and truly embrace Security-by-Design (as called for by CISA), this gap between security and development teams needs to be bridged. This requires major change across people, process, and technology, encouraging teams to move away from the blame culture and shift towards adopting more collaborative and supportive habits.  

Read More: Feeling Exhausted? The AppSec Dilemma Could Be to Blame

 

Embracing New Habits 

A big change in organizational culture can be difficult to navigate, but adopting new habits and starting with small adjustments to day-to-day tasks makes the shift more manageable.

Embracing more ‘secure habits’ is invaluable across organizations looking to prioritize and improve security culture and bake in secure coding best practices from the start. This includes ensuring security and development teams work together on a more collaborative basis, rather than working in siloed departments, unaware of each other’s central challenges and therefore working at odds with each other.  

Read More: Bridging the Security and Development Divide

The first step in this collaboration requires commitment from everyone and should take the form of an initial meeting between leaders.

From here, security and development leaders can drive discussions around what is keeping them up at night, their biggest issues, and how they will work together to help each other. Then, keeping an open line of communication with regular meetings will help each team understand the evolving difficulties of other areas of the SDLC.

There are also a number of habits that these departments can embrace for greater collaboration: 

The security team: 

  • Get in the habit of validating alerts rather than leaving it to the developers and wasting valuable time in the development process. 
  • At the initial stage of a project, make sure to understand the requirements – and be willing to accept some risk to satisfy customer needs. 
  • Start proactive information sharing with the development team, including flagging evolving threats and critical vulnerabilities when you first spot them.  

The development team: 

  • Software engineers are already regularly conducting regular code reviews with their peers. They can make it a habit to ask their security team colleagues to support these reviews at an earlier stage of the process. 
  • Leaders of development teams must begin to see security as a non-negotiable part of software, and question whether it is secure before they ship it. 
  • Nominating a security champion from within the development team, who serves as a security expert and resource to peers, will streamline the shift towards greater collaboration.

 

Continuous Approach to Training 

The threat landscape is ever-changing, and vulnerabilities are on the rise. Secure coding training delivered on a continuous and programmatic basis is therefore invaluable, not just for development teams, but across the entire software development lifecycle.

According to a recent EMA report, 60% of organizations adopting continuous training realized great improvements in their code security, while only 3% did not. And with teams regularly taught the value of security, with hands-on training, it becomes far easier to establish a culture where collaboration between teams is welcomed. 

Security Journey bridges the gap for faster, more secure development by taking a targeted, vulnerability-driven approach to application security education.