For most companies today, software is what helps you compete. You have to roll out new products and services to satisfy customers, and you need to do it FAST.
While it’s true DevOps has revolutionized development in terms of speed, capability and agility, the truth is security is having trouble keeping up. For CISOs and other security leaders, it’s no small task trying to ensure software development happens securely. And, it is an even tougher nut to crack, especially when most organizations can’t answer the simple question, “who owns application security?” As many of us know, the mindset of “everyone owns security” becomes dangerous when, without accountability and executive-level support, “everyone” quickly lapses into “no one.”
At ZeroNorth, we understand how important it is to unify disparate teams – security and DevOps, along with business leaders – and align security efforts. But, to unify these teams, we have to first understand the barriers that may be standing in the way. To that end, we commissioned an independent research report from the Ponemon Institute to examine the sometimes-murky relationship between security teams and developers. The results of the survey speak directly to the cultural divide between these organizational teams, offering CISOs some practical information on what it will take to reach the other side.
Pulling Back the Curtain
Organizations put themselves at risk when application security and development teams don’t share a common vision on how to deliver software to market quickly and securely. This inability to work together under a unified goal, or lack of a Federated Responsibility Model, is what we call the cultural divide. According to the Ponemon research, 77% of developers say this existing cultural divide affects their ability to meet deadlines, while 70% of AppSec professionals say it puts the security of applications at risk. This means there’s plenty of technology available to solve our secure development problems, but our human problems are slowing down the process.
Organizations continue to seek more effective and efficient ways of integrating security tools into their existing environments, without impacting speed, but the problems keep bubbling up. Developers see security as a bottleneck to innovation and speed, and security practitioners believe developers will prioritize delivery times over quality. As ZeroNorth’s recent work with Ponemon uncovered, 65% of AppSec professionals say developers publish code with known vulnerabilities, and the same exact percentage (65%) of developers say the AppSec team doesn’t understand their pressure to meet deadlines.
Worse, there seems to be no agreement between these teams on who actually owns security. Sixty seven percent of application security professionals feel their team is ultimately responsible for the security of software applications, compared to only 39% of developers. Further, only 35% of developers believe application security risk is increasing, compared to 60% of application security professionals. Most developers (63%) believe they take the quality of applications seriously which is to be expected given that their jobs are focusing on delivering high-quality software products, but they don’t seem to correlate delivering secure software with delivering quality software.
While these gaps highlight obvious cultural differences, they also raise profound questions about accountability and visibility. When the differences are this big, who is in a position to confidently answer whether or not an application is secure? It’s clear, there’s work to be done.
Building a Bridge
Here’s some good news. Security professionals and developers do agree on some things. CISOs and other security leaders have an opportunity to bridge the gap between development and security by embracing a federated model for AppSec whereby security sets standards and provides frameworks, while DevOps and product teams are empowered to execute as appropriate for the business. By serving as “uniter” for security, DevOps and the business, the CISO and other security leaders have the ability to ensure security is front-and-center without hindering the speed and velocity requirements of the Dev teams.
Where does a CISO kick off this journey? They can start by modeling a mindset and culture that views security as a competitive advantage, and not an obstacle. CISOs have an opportunity to establish (and coach) a stronger coordinated effort where business, product and security teams are singing off the same sheet of music. As a coach, with the right tools and data, you will find a seat at the table. Why? Because you bring significant value to the business leaders as well as the development teams operating that aspect of the program.
Security leaders can also ensure sufficient resources are allocated to safeguard applications in the development and production phase of the SDLC. This includes training and support to help developers build the secure coding skills, processes and tools that everyone will need to take action. Continuous testing throughout the development life cycle also helps keep security up to date as security threats and companies themselves evolve. As members of senior leadership, CISOs need to build security into the organization’s overall risk management strategy and report out on the business’ most important KPIs.
Answering Deceptively Easy Questions
Building a shared vision for how to deliver software quickly and securely is the crux of the challenge. It will take commitment from all sides to build this type of collaborative relationship. Once everyone involved recognizes that application security vulnerabilities are a risk to the business in the same way as financial risk or market risk, they will hopefully begin to create more integrated workflows. When CISOs and security leaders of all kinds bring the Dev, the Sec and the Ops teams together to produce quality software, they will finally be able to confidently answer, “Yes, our software products are secure.”