Bridging the gap between development and security teams [Q&A]
Friction and lack of communication between development and security teams can lead to problems in software development and testing.
How can we bridge the gap between developer and security teams and help them see that they have common goals? We spoke to Scott Gerlach, CSO and co-founder of StackHawk, the company making web application and API security testing part of software delivery, to find out.
BN: Why is there such a significant disconnect between security and developer teams in modern IT environments?
SG: Security and developer teams are often siloed in their own departments due to lack of cooperation and partnership encouraged by an organization's culture and application development and security processes -- a problem that's only heightened by the inherent perception of complete separation between their roles and responsibilities. From a developer's perspective, their job is to solve complex challenges with code and develop solutions that create value for customers to drive revenue for the organization. On the other hand, security experts perceive their job to be protecting the organization from internal and external threats, which can come in various forms including protecting existing revenue from current customers. The problem is: developers are the experts on apps, and security teams are the experts on threats, but who's the expert on application-related threats? That's where organizations struggle to draw a clear line, resulting in gaps in coverage and vulnerabilities left unpatched for anyone to access an organization’s sensitive assets.
Today's modern IT environments are lacking clear roles and responsibilities across both development and security teams about their application/API security strategy. Though, in order to define these parameters and processes for testing and securing applications as they're being developed, developers and security experts need to communicate and get on the same page about who's testing what, when, how, and how frequently -- another key aspect to shift left security that many organizations are still struggling to practice. Both of these problems are a product of an organization's internal structure complicitly allowing developer and security teams to remain siloed, rather than proactively encouraging their collaboration and a more interconnected and balanced relationship.
BN: Where do you see the main disconnect between both teams?
SG: When a vulnerability or bug is found in production or go-to-market phases of software development, the disconnect may appear to start and end there. However, looking at the root of these problems popping up later in production, it’s almost always the case that these vulnerabilities could have been avoided earlier on if engineers and security teams were on the same page about pre-production design and testing.
The main disconnect between both teams is in the earliest stages of production and development -- when security experts and software engineers should be working as one to gain full visibility into an organization’s value proposition and formulate clear plans and procedures for designing and testing applications while they're being developed to avoid a harmful breach later on. When security teams don't involve developers, the ones closest to the code, in making decisions about security vulnerabilities, prioritization and false positives, this creates another roadblock for developers. Conversely, if malicious actors gain access to an organization's infrastructure through a vulnerability that developers didn't tell security teams was there in the first place, security teams feel the heat -- reinforcing the lack of trust between teams, and hampering the security team's ability to keep up.
BN: Is this a recent issue in the IT/software application industry?
SG: The lack of effective communication and collaboration between developers and security teams is by no means a recent issue in the IT/software application industry; however, the problem is more acute as it has become easier and faster to develop, ship and iterate APIs and applications. According to a recent survey, 74 percent of security professionals have either already begun shifting left or plan to within the next three years. More and more organizations are recognizing the importance of testing applications before they go to production, shedding more light on not only how fragmented the relationships and communication between developers and security teams are, but also how detrimental the impacts of this can be on the organization and its business productivity and security as a whole.
BN: What larger impacts does this fragmented relationship have on the organization and its stakeholders?
SG: When software engineers and security teams don't have a relationship based on cohesiveness and collaboration, the organization, along with its stakeholders and IT infrastructure, will suffer. One common product of ineffective communication between the two sides is the presence of Zombie APIs. Security experts and developers often struggle to agree what a zombie API is, whether or not they exist, how to mitigate the damage they cause, and how to prevent them in the future. Because these APIs are no longer under development but still remain alive, DevSecOps teams aren't regularly running patching or maintenance processes to ensure they're not exposing an organization's vulnerabilities that are lingering in the shadows. Zombie APIs are then removed from documentation and an organization’s API security testing program, leaving them to rot over time and expose new vulnerabilities.
The overall culture and harmony within an organization is also largely impacted when a relationship between two integral, but often separate, departments is fragmented. When developers and security experts work in silos, applications aren't tested properly, vulnerabilities appear, data can be compromised, and business operations can be disrupted – ultimately negatively impacting both organizational productivity and internal culture. Neglecting the human element in the adoption of shift-left security practices can have serious consequences. It is crucial to engage every essential stakeholder in the procedures and processes related to application/API security to avoid conflicts, frustration and diminished productivity.
BN: How can organizations bridge the gap between security experts and developers, and what are best practices for doing so?
SG: Leveling up security requires ownership by all. Just as accounting is responsible for finances, but every member of the organization must follow budgets and processes to help meet financial goals. Security needs to be a shared priority involving conversations that encourage accountability and ownership by the teams that build applications and the ones that secure them. Once you have clear processes and roles determined and effectively communicated, it's equally as important to gather and review feedback from all key stakeholders involved in automation, product, engineering and security. A cohesive and interdependent relationship between software engineers and security experts that is maintained with clear communication and shared objectives allows for security and development goals to align -- further creating a well-oiled machine that develops software efficiently and, most importantly, securely.
Image credit: [email protected]/depositphotos.com