How to Bridge the Divide Between DevOps and AppSec

Digital transformation is putting pressure on organizations to develop applications at increasing speeds, creating a philosophical divide between DevOps and application security teams. Here, John Worrall, CEO, ZeroNorth discusses how the right technology can bridge this growing divide.

Digital transformation is putting pressure on organizations to develop applications at increasing speed. A recent Ponemon study found well over half of developers are now feeling the pressure to develop applications faster than before digital transformation. As they work to keep pace, many in the DevOps world believe the biggest obstacle standing in their way is security. 

AppSec professionals, however, don’t quite see it that way. As more organizations embrace DevOps to fuel digital transformation, faster software delivery means greater security risk. In this new reality, many Application Security (AppSec) professionals claim application risk is increasing within their organizations—and further, that security is generally undermined by developers who don’t feel the need to secure applications early in the software development life cycle (SDLC). 

In truth, a large percentage of AppSec professionals say it’s hard to work with developers because they publish code with known vulnerabilities, will accept flaws if they believe the application will be a big seller, do not demonstrate sufficient security practices,and are not incentivized to have sufficient security practices in place. Developers responding to these observations would likely cite a lack of understanding on the part of security teams, who don’t recognize the massive, ongoing pressure on DevOps to meet organizational deadlines, a metric often used to review their performance. 

Learn More: What is Web Application Security? Definition, Key Steps for Testing and Best Practices

The Divide Has Real Consequences

Let’s face it, development and security teams don’t often see eye-to-eye. With one team focused on building and delivering software fast and the other on caution and controls to minimize risk, it’s easy to see why working together creates conflict. In fact, when asked to rate the difficulty in working together on a scale of one to 10, 69% of developers and 66% of AppSec professionals indicated “10,” or very difficult.

For most companies, software is what helps them stay competitive in the market. It is the supreme business differentiator and the key to rolling out new products and services. And in the name of productivity and profit, software needs to be rolled out quickly to meet customer demand. The first major obstacle in this cultural divide relates to the simple notion of ownership. Despite the major importance of security in software production, most organizations have trouble identifying who exactly owns it. 

As the responsibility conversation continually shifts to something more federated, the notion of “everyone owns security” can quickly lapse into no one, especially when there’s no accountability and executive-level support. And it goes without saying, the absence of a security champion to advocate for good digital hygiene can impact business objectives, cause massive product delays and ultimately affect the bottom line. 

There is some good news. Security professionals and developers do agree on the need for a more united future. CISOs and other security leaders have an opportunity to bridge the gap between development and security by embracing a federated model for AppSec, whereby security sets standards and provides frameworks, while DevOps and product teams execute what’s appropriate for the business. By serving as “uniter” for security, DevOps and the business, the CISO and other security leaders have the ability to ensure security is front-and-center without hindering the speed and velocity requirements of development teams. 

Learn More: How to Tackle Mobile Application Security Challenges

Good Intentions, Bad Approach

In many organizations, senior leadership recognizes the misalignment between security and development. They want to help. But as Thomas Edison once said, “A good intention with a bad approach often leads to a poor result.” 

To drive lasting organizational change, senior leadership must first build consensus on priorities. They can’t expect to align diametrically opposed teams if they cannot align themselves. This begins with acknowledging that application security must be a shared responsibility across corporate security and risk, product security and development teams. Then clearly defining governance and operational responsibilities to drive action and accountability. In other words, security is now the job of all parties, and these teams must come together into an integrated partnership to make it happen. 

CISOs and security leaders also need to ensure sufficient resources are allotted to safeguard software while in the SDLC development and production phase. This includes training and support to help developers build the secure coding skills, processes and tools that everyone will need to take action. Continuous testing throughout the development life cycle also helps keep security threats up to date as security threats and companies themselves evolve. As members of senior leadership, CISOs need to build security into the organization’s overall risk management strategy and report on the business’ most important KPIs. 

McKinsey research found that when senior leadership aligns on their change story and communicates it with the organization, they can increase the odds of success six times over. As the organization’s cybersecurity champion, the CISO should take the lead in driving this effort, helping to bring leadership together, clearly articulating goals, defining roles and policies, and centrally setting the bar.

Learn More: 10 Ways To Secure IP In GitHub Repositories

Technology’s Role In Driving Lasting Organizational Change

A practical approach for shared AppSec responsibility cannot hinder DevOps’ ability to innovate at high velocity. Yet developers must prioritize developing secure code. This is where technology can play a supporting yet critical role in driving large-scale organizational change. The right platform can:

• Unify security standards, policies and analytics, and apply them consistently across the enterprise. This gives security leaders a single, centralized view of risk and drives better, more confident decision making. 
• Arm security and product teams with local enforcement and product control by orchestrating the continuous discovery and remediation of vulnerabilities within DevOps pipelines—and across a wide range of security scanning tools. This empowers software engineers to fix code while they’re already in the code – increasing their productivity and keeping the delivery schedule.
  
• Make it easy for developers to do the right thing. Emerging technologies can compress security findings down to the most critical, priority issues. With transparent and friction-free AppSec, developers can meet security standards without changing their workflows and not waste time chasing low risk or duplicate vulnerabilities.

In our DevOps world, application security is now the responsibility of many—and is imperative for continued business success. That’s something AppSec and development teams can both agree on. By aligning around this shared understanding and responsibility model articulated by leaders at the top, teams can begin bridging the deep cultural divide and moving toward DevSecOps, for the good of software. 

Let us know if you liked this article on LinkedInOpens a new window , TwitterOpens a new window , or FacebookOpens a new window . We would love to hear from you!