There is a big conversation happening right now in the world of application security (AppSec), one that is focused on how security and DevOps professionals can come together in the name of better, safer software. Because, right now, these teams are often worlds apart. Although DevOps has revolutionized the speed of software development, the implications of this increased velocity can sometimes run counter to the goals of security, emphasizing the need for better risk management.
A starting point for the conversation lies in the ownership of AppSec responsibility. Today, DevOps and AppSec teams often don’t really know where (or with whom) the responsibility for application security sits. Specifically, do Dev and Engineering teams own responsibility for securing the applications they develop? Does a central corporate or product security team hold the ultimate accountability? Or does the answer lie elsewhere? Regardless, a lack of alignment and understanding on this—and a host of other related issues—can effectively increase application security risk.
What does the research say?
A recent report conducted by the Ponemon Institute and sponsored by ZeroNorth highlights some data points around this cultural gap, including the need for AppSec and DevOps to identify better strategies for unification. Yes, it’s critical for different teams—from security to DevOps to business leaders—to align their efforts, but they must first recognize the obstacles they’re facing. The results of the survey speak directly to the cultural divide between these organizational teams.
The bottom line is organizations put themselves at risk when security and development teams don’t share a common vision on how to deliver software to market quickly and securely. This inability to unite under a common goal is what Ponemon calls the “cultural divide,” and it’s creating the need for a new breed of superhero.
Who wears the cape?
Under this new world order, there must be a hero—otherwise known as a Security Champion—to take charge of helping developers build applications, securely. In short, Security Champions are professionals from a range of roles (engineering, product management, etc.), who care greatly about security and the need to advocate for AppSec best practices within development teams. At the end of the day, this role is what can help bridge the divide between Security and DevOps/Engineering.
As a company focused on uniting security, DevOps and business teams for the good of software, ZeroNorth recently surveyed 99 security and development professionals to find out how these Security Champion Programs are working and where success is being found. The results from this survey tell us a lot about the state of these programs and where they are headed in the future.
This theme of bringing AppSec and DevOps teams together through a centralized authority is taking hold in the industry. For too long these two sides have worked in silos, and the cultural divide is only growing, with DevOps teams being measured by how fast they can deliver software. The time has come to bridge this divide, just as DevOps once brought development and operations together, to ensure security happens earlier in the development life cycle.
Who else has a role?
CISOs and corporate security leaders play a key role in the success of these programs, as they are the ones who must set security standards and policies, and often provide the scanning tools and capabilities to the business. They are usually the teams held accountable for the overall security posture of the organization, which means they have a keen interest in understanding how security policies and practices are applied across various DevOps and Engineering teams.
Behind this effort, business and corporate security leaders can support the success of a Security Champions Program by defining AppSec priorities, training employees for best practices, enabling access to scanning capabilities and consulting on issues of vulnerability and remediation. While creating this type of framework is essential, the results are what really count. The data resulting from ZeroNorth’s research into Security Champions tells us these programs have greatly improved the state of AppSec in a variety of ways.
Senior leaders have an opportunity here to lead by example and demonstrate across the board how security should be viewed as a differentiator, not an obstacle to creativity and innovation. CISOs and their respective Security Champions must talk the talk and clearly communicate how AppSec vulnerabilities can threaten the integrity and success of the business—in the same way as a financial or physical risk.
How high can we fly?
Respondents to the survey identified the top three responsibilities of a Security Champion Program, which provide a good deal of insight into next steps. Promoting AppSec best practices and advocating for security within development came out on top, followed by the need to adopt more thorough security standards and promote better scanning capabilities.
These goals cannot be achieved without effective technological solutions, and this is where ZeroNorth has answers. Our application security automation and orchestration platform unites security, DevOps and the business to improve security performance and reduce organizational risk. This allows security superheroes to effectively identify, prioritize and remove the vulnerabilities standing in the way of software excellence. The ZeroNorth dashboard offers a holistic view of risk across the entire application portfolio and the ability to orchestrate and manage all commercial and open source scanning tools in one central location.
The ZeroNorth platform also helps teams make sense of the flood of data flowing in from their various scanning tools while using the insights to accurately identify and remediate vulnerabilities before they become problems. As the company grows, it can onboard the newest, best-in-class scanning tools and seamlessly integrate their vulnerability data as well, scaling and growing their AppSec initiatives along with ZeroNorth.
Where do we land?
The study on Security Champions makes one thing crystal clear: there is a dire need to unite teams in the interest of better, more secure software. These committed security pros will play a massive role in furthering these objectives. With sponsorship and support from corporate business and security leaders, these champions who pick up the mantle of security will be armed with the training, best practices and security tools they need to safeguard business and product lines. And this strength will in turn enable them to help developers meet their goals while supporting organizational risk and compliance requirements.
Commitment from both sides is critical to building this kind of collaborative relationship, but it is possible. And once everyone acknowledges the many ways a Security Champion Program can improve the state of AppSec, including all the business benefits resulting from strong product security, they will hopefully find things just work better when someone special wears the cape.