Rebuilding trust between developers and security [Q&A]
The demands of modern business IT environments can often lead to friction between developers and security teams which can hamper the successful rollout of cloud security.
Developers want to deliver features as fast as possible and security teams want things to be as secure as possible, so there is constant conflict of interest. We spoke to David Hendri, CTO and co-founder of cloud security startup Solvo, to discover how to rebuild the trust between developers and security by creating a common language.
BN: What specific roadblocks stand in the way of healthy developer/security relationships?
DH: Despite the fact that both teams ultimately want what is best for the organization, the guiding stars that developers and security teams are following are inherently different. Developers are focused on bringing new features and products to market as quickly as possible, while security teams are focused on creating the most secure environment. Because innovation and security, although equally important, sometimes clash, these teams are constantly hitting roadblocks that could eventually be detrimental. For example, security leadership will often introduce requirements in order to adhere to the latest security standards without checking in to see how these requirements impact the development process. They have done this so often that security teams have unfortunately, earned the label of 'regulator', slowing down the progress developers are working towards. Simultaneously, however, developers can often dismiss security as something to be dealt with post-production, rather than integrating secure standards earlier in the Software Development Life Cycle (SDLC).
BN: What types of attack methods and risks are development teams most susceptible to? How has this changed from previous years and what can we expect to see in the new year?
DH: Attacks into the software supply chain allow threat actors to cause disruption before an application ever makes it into production. Software supply chain attacks have dramatically increased and as such, have are , forcing development teams to stay ahead of these shifting attack methods and risks. A case in point was the Log4j vulnerability in December 2021, where millions of devices were compromised from one software supply chain insecurity. Another example was in the year prior, in 2020, when IT company SolarWinds was a victim of malware that was delivered through the company's internal servers during a regular software update. The problem at hand is that insecure code remains in a production environment until it is fixed, and the responsibility often falls in the hands of developers. This is why cybercriminals are on a relentless search for zero-day vulnerabilities, eager to exploit them for differing motivations before organizations can patch them. In order to mitigate this risk this year and beyond, working towards improving the relationships between security and developer teams is vital. As organizations continue to transition their infrastructures to the cloud, they will also have to address the different attack surfaces vulnerable to attackers. Increasingly complex compliance standards and regulations will lead organizations to search for technologies and strategies to simplify this and mitigate the risk that comes with it.
BN: What are the steps CISOs can take to reduce friction between the two groups?
DH: CISOs can take this as an opportunity to frame success to the development team in a way that aligns with business growth. For example, CISOs should reiterate that having a secure product adds inherent value to it, particularly in an age where everything is digital. Prospective clients are very often looking for products that uphold security standards and this is a critical deciding factor for purchasing. Once a core culture has been established, CISOs should examine the processes at play and tactically implement security into the development lifecycle. They should make sure that security experts are a part of the build and planning phases, so that developers can understand what’s needed for secure code.
BN: What are some immediate steps application development leads can take to reduce friction?
DH: In order to reduce friction on the development side, leads should ensure their teams' insights and goals are heard and clearly explained to security teams and IT leaders. This will enable leads on both development and security teams to pave the path for the most seamless integration within workflows. Engineering lead should also implement security as a top KPI for the success of a new feature or product rather than only focusing on how new and innovative a functionality is. Lastly, all developers should be given formal training on the basic tenants of cloud security; this is an investment that will continuously pay off long term.
BN: Does business leadership have a role to play, and if so, what can it do?
DH: The goal of business leadership is to bring together the goals of security and the goals of engineering to create a common, shared language. Oftentimes, it takes a cultural shift from the executive leadership team. Business leaders should make it their goal to communicate that a secure product is a key piece of a competitive offering and should relay to developers that security is a business enabler, not a development blocker. Establishing a culture that brings both goals together is no easy task and will take an investment in training, education and a rethinking of processes to break down dated ways of working.