When development and security work hand in hand, applications are more secure, and organizations work more smoothly. And to do so, security should create guardrails, not barriers. But what does this mean?
In this episode of The Security Champions Podcast, Mike talks to Derek Fisher, author of The Application Security Program Handbook, about security education for developers and how to bridge the divide between development and security.
Developer Security Education Gap
Organizations face mounting consequences for data breaches and application attacks. And the conversation around securing applications focuses on tools and automation. However, the human factor is crucial to releasing secure code.
The developer knowledge gap is the difference between the security knowledge and skills that developers need to do their jobs securely and the knowledge and skills that they actually have.
Too few people understand that there is a lack of security training for developers on an academic level. In fact, 0 of the top 50 U.S. university coding programs require secure code courses. Computer science professors should examine their curriculum to make it easier for the industry to embrace security from the start.
Watch The Webinar: How Are You Solving The Developer Security Knowledge Gap?
Currently, many introductory courses focus on correctness, efficiency, and performance. However, as regulations become increasingly more strict for software developers and providers, it will change the hiring landscape, with organizations asking for security knowledge during the interview process, pushing universities to make security principles a requirement in the future.
Overcoming The Developer Security Education Gap
Until academia evolves to keep up with the growing security demand, organizations have to take on the educational needs of their developers. This type of education has less of a focus on the latest tech stacks and more of an emphasis on secure coding training.
Continuous education that goes beyond simply ‘raising awareness’ is so important to creating a security-first mindset that ensures secure code is a consideration as early as possible in the development process.
Organizations can promote security education through:
- Adopting a purpose-built security training platform for your organization
- Building a champion team to work cross-functionally
- Promoting continuous education for champions by sending them to technical security conferences
Consider integrating continuous education into developers' yearly goals to give a way to measure success and keep continuous education top of mind.
The Conflict Between Development & Security
The first step to bridging the divide between development and security is to embrace community. Both teams are there to work together for a common goal.
Conflict arises because security and development have two different priorities:
- Development teams want to release faster.
- Security teams want to reduce vulnerabilities.
Let’s look at two ways you can work to bridge the divide between development and security teams:
As an Application Security Professional, you are in the business of building relationships. Therefore, it is essential to motivate yourself and your team to communicate with other departments throughout the development cycle.
At the beginning of a project, the security team should ensure that they understand the requirements. This will allow your security team to proactively share information with the development team, including flagging evolving threats and critical vulnerabilities when they are first identified.
Collaborate Throughout the Development Lifecycle
Engaging security too late in the development lifecycle can often lead to conflicts between the development and security teams. Developers are usually under pressure to meet tight deadlines, and bringing in security engineers at a later stage may cause delays due to the need to fix security issues.
It's essential to remember that no single team has all the knowledge, and collaboration between the teams from the onset is crucial. Therefore, engaging and collaborating with the security team from the beginning of any development project is necessary to avoid conflicts and ensure the project's success.
Are You Ready to Create a Culture of Collaboration?
You can get Derek Fisher’s Application Security Program Handbook online today. To learn more about security champion programs and other AppSec topics, please subscribe to "The Security Champions Podcast" by Security Journey.