Your software defines your business. It’s what sets you apart, but it’s also what can bring your organization down if it’s not secure. There’s a constant conversation around the need for a unified approach to software security. That’s really what DevSecOps is all about—and yet, the current AppSec model is anything but collaborative.
By John Worrall, CEO, ZeroNorth
This schism between security teams and developers, this cultural divide, comes into play primarily in the way it affects our ability to rapidly build and deliver secure products. CISOs and product security leaders must be able to answer the question, “Who owns security?” And the answer can’t just be “I do.” Even though DevSecOps promotes a mindset of shared responsibility, without accountability and executive-level support, “everyone” owning security can quickly lapse into “no one.”
And without this critical piece lodged firmly in place, there’s still lots of work to be done.
Dealing with Misalignment
Some valuable data has recently come out on this cultural divide between security and development. 77% of developers say this existing gap affects their ability to meet deadlines, while 70% of AppSec professionals say this misalignment puts the security of applications at risk.
Both teams admit that working together is a challenge. When asked to rate the difficulty in working together on a scale of one to 10, 69% of developers and 66% of AppSec professionals rank it as 10 — extremely difficult. Their differences don’t end there. They don’t agree on the scope of the problem. Only 35% of developers say application risk is increasing, while 60% of AppSec professionals believe this to be true.
Different teams, different priorities, different perspectives. This means it’s not technology or even systems getting in the way — but people. Before you can even think about investing in new technology or expanding your AppSec program, you need to get your people aligned.
This starts by bringing business, security, and product team lead together to lay the groundwork. Level-set on the need for an alignment plan focused on collaboration and accountability to ultimately ensure secure software development. Discuss the importance of clearly defined and aligned objectives, ways to achieve them through incentives and SLAs, and how technology can support this people-centric approach. Then, you’re ready for step one: figuring out exactly who owns what.
Governance and Operations (Who owns what?)
Much of today’s fragmentation stems from a fundamental disagreement around responsibility for application security. The same industry study found 39% of developers believe their security is responsible, while 67% of AppSec practitioners say they are responsible. Who’s going to set up the policy? Who’s going to measure its performance? Who’s going to drive continuous improvement? And then, who’s actually going to create secure code?
Who does what is important. This may look different from organization-to-organization, but the majority of businesses I’ve spoken with have adopted a hybrid model, where security is responsible for governance; development is charged with implementation. Security teams set standards, measure performance to standards, and work with all levels of the organization to communicate the current risk status and the progress of improvement initiatives. The most mature security teams have evolved the role of security champions from blockers to enablers, becoming advisors and coaches to the development teams.
In regulated industries with heavy compliance requirements, the governance function is particularly critical. Yet in many companies, DevOps and security teams still operate in isolation until the very end of the software development lifecycle, with developers moving fast to push out new code, only to be stopped in their tracks due to late-breaking reports from security on discovered vulnerabilities or quality issues.
With so much at stake, these regulated industries must adopt a governance model that gives security teams enterprise control and a global view of risk to meet consistent security and compliance standards. Yet these centralized policies must be enacted locally to empower developers to rapidly and securely deliver innovation. This flexibility makes it easier to incorporate tools that allow developers to fix issues while they’re coding.
Within this framework, developers can operate within their existing, preferred workflows (or choose their own security tools, if they want), while ensuring all tools and workflows contribute to a centralized, prioritized view of risk across the entire application portfolio. With one source of truth that is reported on, and trusted by, all parties, organizations can pinpoint key gaps and continuously improve the enterprise security posture.
Unification is the Key
Research tells us, there’s much work to be done to tear down siloes, reshape mindsets and unify teams. As companies accelerate their shift toward DevOps, this cultural disconnect will continue to expand until organizations find a way to bring security into the DevOps world. I believe unification is the only way organizations can make this reality.
Embracing the right technology platform will help accelerate this unification effort and make a shared responsibility model work in three key ways:
- Provides the necessary structure. By activating unified, enterprise standards, policies, and analytics that power continuous risk and compliance enforcement, organizations can innovate with confidence.
- Accelerates pipeline velocity. By orchestrating the continuous discovery and remediation of vulnerabilities across the SDLC, security and product teams can collaboratively accelerate application delivery.
- Unburdens developers. By making AppSec programs transparent and friction-free, developers can meet corporate standards without changing their workflows or being flooded with non-priority tickets and issues.
Security Leaders at the Finish
You’ve aligned on objectives, crystallized responsibilities, and established a framework. Now, where do you go from here?
All team leads must agree to do their prescribed parts to make DevSecOps a reality. This requires a unified management approach, based on a shared desire to deliver secure software, define and support software security standards and hold themselves, and their teams, accountable. Yet every major organizational change initiative must have a champion.
CISOs are uniquely positioned to spearhead this unification effort at the management level and serve as “coach” for development teams, motivating them to prioritize security, improve practices, and embrace a more collaborative culture.
It will take more than good intentions, however, to move the needle. The same research shows lip service won’t get you far: nearly half (48%) of developers say their leadership teams are already trying to improve teamwork. An organizational shift of this magnitude also requires the right tools and processes in place to centralize AppSec management, orchestrate disparate security tools, automate manual processes, surface actionable intelligence, streamline remediation and deliver robust analytics and reporting. This is where CISOs need to take the reins, architecting an AppSec program that enables developers to drive security within their teams on a continuous basis and aligns security with the pace of development. In doing so, they will bring value to the executive leadership team and the business as a whole.
Software security is too important to get wrong. The time is now to get it right. It will take a commitment from all sides to build this type of shared vision for the future. Once all parties realize application security vulnerabilities put the business at risk in the same way as financial or market risk, they’ll hopefully begin to see the light — and to promote a vision of shared responsibility for the good of software.
References:  Revealing the Cultural Divide Between Application Security and Development
About the Author
John Worrall is CEO of ZeroNorth in 2019 as chief executive officer, leading the company in its delivery of the only platform for risk-based vulnerability orchestration across applications and infrastructure. As CEO, John heads up all aspects of the company’s strategy, product, operations, and go-to-market functions. In addition to leading ZeroNorth, John serves on the Board of Directors at FamilyAid Boston, a nonprofit that helps children and their parents facing homelessness in Greater Boston. He holds a bachelor’s degree in economics from St. Lawrence University.
Views expressed in this article are personal. The facts, opinions, and language in the article do not reflect the views of CISO MAG and CISO MAG does not assume any responsibility or liability for the same.