The CISO role is filled with contradictions. Secure the corporate infrastructure, but do not slow the business. Work with developers to produce more-secure code, but do not delay development. Often short on resources, CISOs leading the security charge struggle to catch up with daily demands when it comes to overall security issues threatening the business. The rise of continuous integration and continuous deployment (CI/CD) and developer-centric development processes such as DevOps has only added more volatility to their responsibilities.
On the other hand, the development groups are feeling squeezed between the increasing demands to deliver software more quickly—that is, a shorter time to market—while forced to be more flexible with business requirements, including security testing by the security department. Having to adhere to cryptic security requirements and deal with vulnerability reports with mysterious vulnerability descriptions makes their jobs even harder. In addition, security often causes conflicts, such as when developers must wait for weeks for security approval or when external penetration tests disrupt the development process and planning.
At first glance these conflicts might look imposing and insurmountable. Here's why, and how to build bridges in your organization for greater cyber resiliency.
Ignorance and misconceptions
Few application security specialists come from the software development side of the house, and very few CISOs have a background in software development. At most, their experience might come from minor projects during college or scripting in their free time.
So it's easy to overlook the complexity of modern software development. The move toward more development-centric DevOps practices is often misunderstood as embracing the development Wild West without limitation or boundaries for developers. Meanwhile, developers' reluctance to adding time-consuming security testing into the CI/CD automation is misunderstood as resistance toward security overall, and the recurrence of specific issues is seen as not caring about security.
For software developers, security is yet another requirement. Unlike performance, it is covered in a haze of unfamiliar terms and abbreviations. Where test automation is seen as part of the team’s responsibility, security testing commonly is still an external activity injected into the developers' build pipeline. No wonder, then, that security is viewed more as a burden than a responsibility.
Both development and security are business drivers. Development enables business functionality, and security ensures that business can be done in a responsible way.
Similarities and mutual respect
Security issues must be treated as quality issues—if not prevented, at least detected early and fixed as soon as possible. Early detection means early and continuous testing and validation. That means security tools must be given to the developers, and those must become developer tools. Early detection of security issues means analyzing the code for issues from the moment it is written to after it is deployed.
Good developers care about the quality of their creation, and security is an aspect of quality. They are by definition the specialist for their development pipeline and should be the ones to integrate secure testing automation in the development cycle. The status of the code and its testing should be communicated through a software security dashboard.
Building alliances
Security must work with the development team for tools selection, because the tools must fit their purpose and environment. Integrating CI/CD with continuous security testing requires that security experts become the sponsor of the tools and the mentors for solutions. There never will be any 100% secure deployment; we must continuously monitor and respond to the ever-changing reality. Responsiveness is a key quality of DevOps that security can maximally leverage to maintain or return to optimal security.
Development will need support and guidance to achieve the same level of security understanding and expertise as has been achieved with software testing. This is the new role for security: to guide and sponsor security initiatives within development. Finally, security must work with HR to teach developers about the potential to follow security in their career path, to establish, for example, the formal role of security champions as the link between security and developers.
Be the guide to security in your organization
In the end, the saying "Unknown is unloved" is definitely valid for the development and security camps. Two neglected requirements of a successful security practice are bridge-building and cross-domain communications. IT security professionals should understand that they are not securing artifacts or valuables as a security guard. Rather, they guide those who will be responsible for enabling digital business to do so securely. They can only accomplish this by creating readable policies, formulating understandable guidelines, and most of all, building alliances.
This is the first of a series of articles about leveraging DevSecOps in your business to reduce sleepless nights for CISOs and app sec managers while reducing friction with security teams and maintaining agility and speed of delivery for development. The goal is to guide CIOs, CTOs, and CISOs and achieve a win for everyone: faster delivery of more secure, and therefore higher-quality, software as well as oversight and control regarding the enterprise software assets.
Keep learning
The future is security as code. Find out how DevSecOps gets you there with TechBeacon's Guide. Plus: See the SANS DevSecOps survey report for key insights for practitioners.
Get up to speed fast on the state of app sec testing with TechBeacon's Guide. Plus: Get Gartner's 2021 Magic Quadrant for AST.
Get a handle on the app sec tools landscape with TechBeacon's Guide to Application Security Tools 2021.
Download the free The Forrester Wave for Static Application Security Testing. Plus: Learn how a SAST-DAST combo can boost your security in this Webinar.
Understand the five reasons why API security needs access management.
Learn how to build an app sec strategy for the next decade, and spend a day in the life of an application security developer.
Build a modern app sec foundation with TechBeacon's Guide.