The most productive DevOps teams achieve secure software development by baking sec in from the start. That’s a worthwhile goal, but the reality is developers and security teams don’t always get along. From squabbles around where the buck stops to finger-pointing about finding and fixing bugs, dev and sec often struggle to get on the same page.
At a time when the security stakes have never been higher, dev and sec simply have to figure it out.
Here are our top five tips to bridge the gap between dev and sec and truly welcome security into the DevOps fold.
1. Forget the past
In the bad, old days, a security officer swooped in when code was hitting production to point out problems and demand changes, often with little to no context or explanation. Developers didn’t exactly jump all over themselves to cooperate. TL;DR there’s plenty of blame to explain the lack of secure software development.
Thankfully, DevOps and modern application development bring fresh narratives and workflows. Nearly 28% of security pros now work in cross-functional DevOps teams, according to our 2021 Global DevSecOps Survey. And over 70% have shifted security left, the survey found.
What’s the secret to their success? It’s all about DevOps and the technology changes required to do it successfully. Our survey found that teams settled on DevOps for better code quality and faster release times, but the tech choices to support that success – automated testing, security scans, and shift-left security – actually ended up bringing dev and sec closer together.
The takeaway: The right technology is surprisingly helpful in breaking down stereotypes.
2. Learn each other’s languages
Clearly, dev and sec have an ongoing communication problem.
In fact, they can’t even agree on who “owns” security, as we saw in our survey. A sec pro told us, “Security must be a practice of every member of the team from the front-end developer to the system administrator (and also non-tech roles),” while a dev said, “It’s all up to the developer!”
Work needs to happen, and it starts with the very old-fashioned concept of getting to know one another. A sec pro could attend a developer meet-up, and a dev could sit in on a security retro. For some teams, this is going to have to be a forced function where management mandates cross-functional “lunch and learns,” virtual offsites, or even ice breakers.
The takeaway: Yes, even an escape room (or other bonding exercises) can help a team start to speak the same language.
3. Institute a security champions program
If you can’t beat them, join them, or in this case, embed them. Developer security champions are known and trusted devs who have an interest and enthusiasm for security and want to share it with colleagues. This can be a very successful strategy to actually shift security left and change mindsets forever.
Security champions can be part of a formalized program led by the sec team, or grow in a more organic fashion via an enthusiastic dev. Either way, experts suggest this is a solid way to bring a DevOps team to DevSecOps.
The takeaway: Sometimes the message is heard and understood most clearly from an insider.
4. Meet dev and sec where they are
It’s tough to hold a dev accountable for security problems when the vast majority of them aren’t taught about it in college. And sec pros don’t necessarily know how to code. So is it any surprise that two very different skill sets, degree programs, and job requirements might find it hard to come together?
It’s not surprising but it is problematic. One solution involves both sides (figuratively) going back to school. Devs can get hands-on training in security, while sec pros learn how to code.
Also DevOps managers might consider adding “security software developer” to the 2022 roster. This fairly new job title has over 1,000 postings on Glassdoor.com.
The takeaway: Continuing education and cross-functional training can yield enormous benefits.
5. Make the experience real
Actions can speak louder than words, so why not let developers experience, first-hand, what’s involved in a security breach (and, by implication, what the stakes are)? Invite devs to every hacking exercise planned, and get extra points if a security red team is involved.
At the same time, introduce security pros to the user experience (UX) team, and invite them to meet with actual users and hear real-time feedback.
The takeaway: It’s impossible to feel anything but invested if you truly feel like you’re part of the process.