Collaborate to Mitigate: Building Stronger Connections Between Developers and Security Teams
January 10, 2024

Scott Gerlach

The complex, turbulent and disconnected relationship between developers and security teams has been ongoing for more than a decade. Stemming back to the early digital transformation days, faster software development lifecycles, the introduction of cloud environments, along with the proliferated use of APIs, has led to mass friction between the two parties.

Before rapid digitization, when software releases were infrequent and cyber threats were sparse, the collaboration between these two teams, or lack thereof, was more inconspicuous. Developers and engineers would develop code, and security teams would become aware of new applications once in production. However, as the speed of application development has accelerated and with security testing and reviews now required daily, the lack of cohesivity and unification among these teams has become undeniable.

While developers are facing internal pressure to build next-generation applications at astronomical speed, security teams are wrangling with an increasingly volatile cyber threat landscape, growing consumer concerns for applications built to secure their data, and the broad surface of threats they have to cover along with API security. According to Palo Alto Networks' 2022 What's Next In Cyber survey, 71% of CISOs state that security slows down DevOps in their organizations. In most instances, the roadblocks faced by both teams comes down to a lack of clear communication and the absence of workflow policies and procedures, which often prove detrimental.

So how can organizations start to bridge this gap and enable these teams to perform together at the highest level?

Well, it starts with developers and security teams realizing that their goals are more common than they think: bringing innovative software applications to market efficiently and securely. There are myriad ways organizations can break down the silos, reduce conflict and ensure that these two teams become valuable partners.

Start with Leadership

The role of leadership is paramount in bridging the gap between security teams and developers, underscoring the imperative of security as a shared responsibility. In much the same way that accounting assumes responsibility for financial matters, requiring engagement from every organizational member for financial success, security necessitates a collective effort. Leadership teams play a crucial role in setting the tone for this collaboration, emphasizing that security is not solely the concern of those with "security" in their titles but is a shared priority across all roles.

IT leaders should critically assess which teams hold responsibility for different aspects of the application security process and clearly communicate to DevOps, engineering, product, and security teams. Once well-defined processes and roles are established and communicated effectively, it becomes equally important to collect and review feedback from all key stakeholders involved in product development, engineering, and security.

Outlining processes and setting appropriate timeframes for security testing and remediation are critical steps in solidifying a robust and cohesive approach to application security.

Consider Developers When Purchasing Security Tooling

Engage with your developer counterparts to understand the tech stack they use and how they build software/applications. Building a shared understanding of their workflow and gaining insights into tool preferences provides an advantage in creating a solid foundation for bridging the relationship gap. Investigate tools that developers will genuinely like and use. Don't exclude developers from the equation; if they have time, ask for feedback or involve them as key stakeholders in the evaluation process.

Implement Joint KPIs

Setting and pursuing shared goals is another aspect that can significantly enhance cohesive working practices between security and development teams. Rather than having each team working at cross-purposes. The goals and metrics developers and security teams share will vary within every organization, largely depending on their industry, the types of software delivered and how applications are hosted. These types of KPIs can include change failure rate, issue resolution time, time to patch and time to value.

At the end of the day, both teams want to help their company succeed, but differing motivations, mindsets, and KPIs often lead to miscommunication and a lack of collaboration. Bringing together these two perspectives into one shared language will ease the conflict that stands in the way of accelerating growth and success within software development companies. A united front will safeguard organizations from today's most advanced threats.

Scott Gerlach is CSO and Co-Founder of StackHawk
Share this

Industry News

February 22, 2024

Check Point® Software Technologies Ltd. introduces Check Point Quantum Force series: an innovative lineup of ten high-performance firewalls designed to meet and exceed the stringent security demands of enterprise data centers, network perimeters, campuses, and businesses of all dimensions.

February 22, 2024

Tabnine announced that Tabnine Chat — the enterprise-grade, code-centric chat application that allows developers to interact with Tabnine AI models using natural language — is now available to all users.

February 22, 2024

Avaamo released Avaamo LLaMB™, a new low-code framework for building generative AI applications in the enterprise safely, securely, and fast.

February 21, 2024

CAST announced the winter release of CAST Imaging, an imaging system for software applications, with significant user experience (UX) enhancements and new features designed to simplify and accelerate processes for engineers who develop, maintain, modernize, complex software applications.

February 21, 2024

Pulumi now offers native ways to manage Pinecone indexes, including its latest serverless indexes.

February 21, 2024

Orkes, whose platform offers the fastest way to scale distributed systems, has raised $20 million in new funding.

February 20, 2024

JFrog and Carahsoft Technology announced a partnership that empowers U.S. Government organizations to safeguard their software supply chains with automated DevSecOps workflows to secure software services consumed by citizens.

February 20, 2024

Multiplayer, a collaborative tool for teams that work on system design and distributed software, announced its public beta.

February 20, 2024

DataStax announced its out-of-the-box retrieval augmented generation (RAG) solution, RAGStack, is now generally available powered by LlamaIndex as an open source framework, in addition to LangChain.

February 20, 2024

UiPath announced new features in its platform designed to enable developers to build, test, and accelerate implementation of automations.

February 15, 2024

Kong announced a suite of open-source AI plugins for Kong Gateway 3.6 that can turn any Kong Gateway deployment into an AI Gateway, offering unprecedented support for multi-Language Learning Models (LLMs) integration.

February 15, 2024

ngrok unveiled early access to its API gateway-as-a-service.

February 15, 2024

Tabnine announced a strategic partnership with DigitalOcean.

February 15, 2024

Salt Security announced that the Salt Security API Protection Platform is now available for purchase in the CrowdStrike Marketplace, a one-stop destination for the world-class ecosystem of CrowdStrike compatible security products.

February 14, 2024

Perforce Software signed a definitive agreement to acquire Delphix.