DEVOPSdigest

The complex, turbulent and disconnected relationship between developers and security teams has been ongoing for more than a decade. Stemming back to the early digital transformation days, faster software development lifecycles, the introduction of cloud environments, along with the proliferated use of APIs, has led to mass friction between the two parties.

Before rapid digitization, when software releases were infrequent and cyber threats were sparse, the collaboration between these two teams, or lack thereof, was more inconspicuous. Developers and engineers would develop code, and security teams would become aware of new applications once in production. However, as the speed of application development has accelerated and with security testing and reviews now required daily, the lack of cohesivity and unification among these teams has become undeniable.

While developers are facing internal pressure to build next-generation applications at astronomical speed, security teams are wrangling with an increasingly volatile cyber threat landscape, growing consumer concerns for applications built to secure their data, and the broad surface of threats they have to cover along with API security. According to Palo Alto Networks' 2022 What's Next In Cyber survey, 71% of CISOs state that security slows down DevOps in their organizations. In most instances, the roadblocks faced by both teams comes down to a lack of clear communication and the absence of workflow policies and procedures, which often prove detrimental.

So how can organizations start to bridge this gap and enable these teams to perform together at the highest level?

Well, it starts with developers and security teams realizing that their goals are more common than they think: bringing innovative software applications to market efficiently and securely. There are myriad ways organizations can break down the silos, reduce conflict and ensure that these two teams become valuable partners.

Start with Leadership

The role of leadership is paramount in bridging the gap between security teams and developers, underscoring the imperative of security as a shared responsibility. In much the same way that accounting assumes responsibility for financial matters, requiring engagement from every organizational member for financial success, security necessitates a collective effort. Leadership teams play a crucial role in setting the tone for this collaboration, emphasizing that security is not solely the concern of those with "security" in their titles but is a shared priority across all roles.

IT leaders should critically assess which teams hold responsibility for different aspects of the application security process and clearly communicate to DevOps, engineering, product, and security teams. Once well-defined processes and roles are established and communicated effectively, it becomes equally important to collect and review feedback from all key stakeholders involved in product development, engineering, and security.

Outlining processes and setting appropriate timeframes for security testing and remediation are critical steps in solidifying a robust and cohesive approach to application security.

Consider Developers When Purchasing Security Tooling

Engage with your developer counterparts to understand the tech stack they use and how they build software/applications. Building a shared understanding of their workflow and gaining insights into tool preferences provides an advantage in creating a solid foundation for bridging the relationship gap. Investigate tools that developers will genuinely like and use. Don't exclude developers from the equation; if they have time, ask for feedback or involve them as key stakeholders in the evaluation process.

Implement Joint KPIs

Setting and pursuing shared goals is another aspect that can significantly enhance cohesive working practices between security and development teams. Rather than having each team working at cross-purposes. The goals and metrics developers and security teams share will vary within every organization, largely depending on their industry, the types of software delivered and how applications are hosted. These types of KPIs can include change failure rate, issue resolution time, time to patch and time to value.

At the end of the day, both teams want to help their company succeed, but differing motivations, mindsets, and KPIs often lead to miscommunication and a lack of collaboration. Bringing together these two perspectives into one shared language will ease the conflict that stands in the way of accelerating growth and success within software development companies. A united front will safeguard organizations from today's most advanced threats.