Building Bridges Between Security and Development

Cyberattacks are occurring more frequently than ever before. Companies today realize that security can no longer be an afterthought. It needs to be made an intrinsic part of software, a functional requirement. Doing so requires silo-less communication and collaboration between development and security teams. Both teams must work together to understand possible attack vectors, create threat models, and eventually improve the organization’s security posture.

The relationship between security and development

During the discussion, the attendees were asked to reflect on the relationship between security and development teams in their organizations. Multiple participants agreed that it becomes hard to prioritize security-related tasks over other business requirements due to a lack of development resources. One executive said that since their company is striving to become compliant with various frameworks, their security team spends a significant amount of time urging developers to do things they don’t want to. Another mentioned that their AppSec and DevOps teams work in a silo, making it hard for the developers to keep up with new security developments in the company.

A Director of IT added that they invite all relevant stakeholders to the meeting whenever they plan any security-related activities. For example, they ensure that all developers, database engineers, and security teams are in the room for a pen-testing session. A VP of IT remarked that DevOps are like the gatekeepers in their organization. Nothing gets pushed to their containerized environment without approval from DevOps.

An organization’s journey to becoming security-conscious

A CISO shared that up until a few years ago, only one person was handling security across their organization. They first realized the need to have dedicated security and privacy teams when GDPR was rolled out. Initially, the security team mainly focused on strengthening security at the infrastructure level, e.g., setting up new firewalls and implementing access control. Soon afterward, they started taking a more holistic approach towards security. They improved application and API security and held training related to OWASP and security best practices. Before starting their cloud migration efforts, they had to create a long list of security considerations and controls for everyone to follow.

Why is there a need to bridge the gap between development and security?

Multiple participants concurred that developers and security teams must collaborate to implement proper application security. There are many risks, vulnerabilities, and attack vectors to defend against in today's evolved cyber landscape. It’s virtually impossible for developers to mitigate all these risks and threats without extended support from security. One speaker argued that security is no longer a specialization; it is something that everyone should be trained on. Security teams should enable other teams in the organizations to keep up with the latest security trends and best practices.

How to bridge the gap between development and security?

An executive said that it all starts with conversations. Security teams can figure things out about an application by scanning it and running penetration tests, but they’ll learn more if they sit down with the developers and have a chat. Try to understand how the application was designed and developed and then figure out ways to secure it. Similarly, developers should seek guidance regarding testing tools from the security team to be able to run them inside their own environments.

What are some obstacles to implementing security?

One mentioned obstacle was the shortage of talent. When we talk about applications and cloud security, it’s tough to find skilled and experienced people. One CIO mentioned that their strategy for combating the talent shortage is heavily focusing on intern programs and converting interns to staff. “The goal in 5 years is to grow our way out of the talent shortage.” Battling cloud misconfigurations and patching zero-day vulnerabilities were other hot concerns.

‍