Peter Chestna, CISO North America, at Checkmarx looks at why fostering a relationship between security specialists and software developers is growing in importance.
In recent years, the responsibility for application security has become something of a shared responsibility between security specialists and software developers.
However, this shift has not necessarily translated into developers receiving the resources and support they need, particularly as they are pushed to meet tight production deadlines.
This often leads to challenges in the dynamic between developers and security teams, that can negatively impact both the working culture and the team’s productivity.
To address these issues, fostering a more collaborative working relationship is crucial.
This would not only allow developers to meet pressing release deadlines but also ensures that security measures are integrated right from the start of the development process.
This approach prevents potential problems with security further down the line.
While trust between these teams might seem abstract, it has a direct and measurable impact on the bottom line, as software is now the driving force for most businesses.
Adopting strategies that promote a productive relationship between developers and security teams, characterised by open dialogue, is essential.
The barriers to effective developer-centric AppSec To gain a clearer picture of the challenges that teams face, we commissioned a study with CISOs, AppSec managers and developers.
We found that 61% of respondents perceive security measures as ‘getting in the way of’ the development process.
The research also found that nearly half, 48%, of developers struggle to identify and prioritise security risks effectively.
Furthermore, there appears to be a lack of clarity regarding the ownership of AppSec responsibilities, which can lead to gaps in accountability.
Alongside practices and processes, we also found issues around knowledge and skills development.
AppSec is a complex and ever evolving field within cybersecurity, which requires ongoing education and training.
It’s essential that developers are provided with the appropriate tools and are also kept up-to-date with the latest developments in AppSec to integrate security seamlessly into the development lifecycle.
Nevertheless, opinions vary on who should be responsible for this training.
Approximately half of the respondents believe that the AppSec teams must train developers, while the other half advocate for developers to engage in self-directed learning through interactive online courses.
This split underscores the need for a unified approach to educating teams on cybersecurity, which is crucial for protecting both applications – and the organisation – from sophisticated threats.
The disconnect between development and security teams has intensified as digital transformation accelerates.
Developers are under increasing pressure as organisations strive to deploy applications more rapidly.
This urgency is compounded by technological advances in IoT, AI, and 5G, which demand faster software delivery yet are often at odds with the stringent requirements of robust application security.
This presents a substantial challenge as developers are focused on delivering feature-rich, user-friendly products, whereas security teams are tasked with ensuring these applications are secure and risk-free.
Despite these differing priorities, there is a vital business need to foster a strong collaborative environment where both teams work together.
Closer co-operation ensures that application security is not an afterthought but a fundamental, strategic component of the development lifecycle.
Having access to the right tools also makes a big impact on smoothly integrating development and security.
Developers have clear preferences for AppSec solutions that integrate smoothly with their workflows.
Notably, 67% of developers favour receiving scan results directly in their Integrated Development Environment (IDE), enabling them to quickly identify and prioritise issues without disrupting their workflow.
Developers’ priorities also include a low rate of false positives or negatives so they are not distracted from the task at hand and not needing to use separate security tools so they don’t have to hop from one tool to another.
These preferences highlight the need for tools that are not only effective but also user-friendly and integrated within the environments developers are accustomed to.
As the shift towards cloud-native application development continues, the use of open-source code opens up greater risks and makes the role of developers in addressing vulnerabilities even more critical.
Providing AppSec solutions that fit naturally into the developers’ existing tools and processes is essential.
Integration not only supports developers in their primary tasks but also enhances the organisation’s overall security posture by enabling efficient and proactive vulnerability management.
Building a more collaborative working relationship between the two teams starts at the top and CISOs and senior leaders must take the lead in spearheading improvements in AppSec.
Their proactive involvement is essential in setting standards and fostering an environment where trust and alignment are not just goals but foundational elements of the security strategy.
This leadership is vital to ensure that AppSec enhancements are effectively implemented, aligning with the broader objectives of the organisation and securing its digital assets against emerging threats.
Adopting a holistic approach Approximately 60% of software vulnerabilities are detected during the coding, building, or testing phases.
This highlights the need for a holistic approach to security processes covering every stage of the Software Development Life Cycle (SDLC).
This strategy extends beyond the traditional ‘shift left’ approach, towards a ‘shifting everywhere’ approach to integrate security throughout the entire development process.
SAST (static application security testing) tools are a must, but no longer enough.
Utilising a comprehensive cloud-native AppSec platform can greatly enhance this integration, allowing development teams to embed security scans within their Continuous Integration/Continuous Deployment (CI/CD) workflows.
This promotes more collaborative interactions between the development and security teams and strengthens the overall focus on security throughout the product development lifecycle.
Establishing clear Key Performance Indicators (KPIs) aligns the work of development and security teams.
These KPIs might include metrics such as the number of vulnerabilities identified in initial scans or timelines for their mitigation.
This framework tracks security progress and helps teams to regularly assess improvements against business goals.
Developers observing the direct impact of these security measures on the company’s success are more likely to commit to stringent security protocols.
By empowering developers with increased responsibility and influence over AppSec decisions, they become key stakeholders in the decision-making process.
The developer experience is often hindered by inadequate training in secure coding.
This presents a dilemma as developers may lack the necessary training, and immediate implementation of training doesn’t guarantee instant results.
Addressing this issue effectively involves delivering security training in a manner that allows developers to apply new skills promptly.
Currently, only half the developers we surveyed have access to formal security training.
Since developers prefer operating within their familiar IDEs, embedding security guidance into these environments could significantly enhance their security practices.
Engaging developers in their preferred settings is essential for improving their experience and is fundamental to fostering a robust DevSecTrust environment.
Ultimately, fostering close co-operation between development and security teams is important for the success of any software-centric organisation.
By seamlessly integrating strategic AppSec measures within developers’ workflows and providing focused training, organisations not only bolster their security posture but also maintain their competitive edge.
And by working closely together, teams can clearly see how their efforts are contributing to the overall cyber resilience of their organisation.
