Today’s organisations are operating in a digital landscape filled with complexities and vulnerabilities. Increasingly, the applications and technologies businesses use to facilitate crucial business operations and connect people are at the mercy of cybercriminals – who are eager to attack from the shadows exploiting and stealing sensitive information held within these everyday applications. As such, security and DevOps teams need a collaborative approach to address and triage application vulnerabilities that continually present themselves - despite each team having different overall objectives.
Across the industry, we’ve seen the benefits DevOps has had in building and deploying applications to scale for businesses. However, due to the expediated manner in which businesses want applications to go to market, security is often sacrificed for agility, which then creates gaps within the architecture and leads to increased application risks. The winning formula for application security involves a DevSecOps policy where there is true alignment between development, operations, and security that revolves around continuous collaboration and an open dialogue.
Yet, organisations are routinely failing to assimilate DevOps and security. Some struggle to make the cultural shift from outdated systems, while others may fail to convince developers to buy into this strategy. Nevertheless, there are ways to ensure there is synergy and understanding between the two teams.
Developers are a critical cog in the business IT machinery, so one would imagine helping address security issues would be standard practice to help avoid a damaging situation like a cyberattack. Unfortunately, this isn’t the case as revealed in GitLab's "2019 Global DevSecOps Report", which found nearly 44% of developers admit that they are not judged on their security vulnerabilities and instead focused their attention on closing tickets and meeting deployment deadlines for the business.
On one side of the scale, speed is a key measurement for developers who are often racing against the clock to test and deploy applications. On the other side is the security team who is more concerned with identifying weaknesses and closing security gaps within the organisation. The distinct gap in priorities between application developers and security is harming businesses and to bridge the two together, businesses need to provide the adequate tools to carry out their tasks effectively and securely.
Here are four ways to help prioritise security in application development:
- Change the culture
In our research, 31% of organisations admit that they have knowingly ignored a security issue so a product could be rushed out. This reiterates the point that speed has been the main focus over security. An attitude and mindset change are required regarding application security and addressing vulnerabilities. If security is planned from the beginning, then all potential threats are significantly reduced. However, this strategy has to be touted from the boardroom, right through to senior management to eliminate vulnerabilities in their applications before they go live.
Naturally, this may take time to adjust the overall approach with the added factor of deadlines and KPIs which are set by development managers. But the positives will significantly outweigh the negatives when you consider the costly consequences that will be avoided from an exploited vulnerability.
Development managers should be given this as a remit and they, in turn, should revise their development team metrics and reward changes in behaviour. A clear signal from the boardroom will help empower developers to focus on security and quality development.
- Integrate, don’t alienate
Cybersecurity is like a game of chess, and developers must be viewed as a valuable piece. They play a critical role, with a deep knowledge and understanding of the software that many others do not possess. They should not be referred to as a weak link in defending the business. Instead of highlighting mistakes, open the dialogue with developers to better understand their domain and how security can be easily implemented into their existing workflows.
Regular conversations between security and developers can lead to better understanding of process, that can be weaved into the overall security strategy and optimise developer buy in. This will lead to better decisions on which security solutions need to be purchased to assist developers identify vulnerabilities sooner. Ultimately, by having a more inclusive security program that does not alienate or segregate, developers will feel more valued and become a reliable source to tackle application security threats in the long term.
- Upskill your developers and build their security mindset
There are calls from within the cybersecurity industry that aspects of cyber, like coding, need to be taught in schools at an earlier age; some even wish for it to be made compulsory due to its growing importance in today’s digital society and growing skills shortage. So why can’t these same principles be expanded to security? Studies have shown that students undertaking computer science programs had not taken courses in secure coding or secure application design. Additionally, research has revealed that 70% of developers said that while they are expected to write secure code, they get little guidance or help.
With the number of application vulnerabilities seemingly mounting, developers need the tools and knowledge to tackle these issues from the start of the SDLC, and this can be provided through engaging and fun online learning. Gamification and online leader boards, creating competitions and real hacking scenarios to help embed teaching techniques to keep developers engaged and also progress their own skills that can be used in their day-to-day work.
By promoting the benefits of writing secure code along with encouraging their own self-development, modern developers will not feel bewildered when asked to identify software vulnerabilities across the various coding languages and frameworks.
- Find strength in shifting left
Organisations that want to achieve a robust application security posture and secure their SDLC, need to bridge the gap between security and DevOps. Today’s agile, cloud-driven world requires a new outlook and with organisations seeking to benefit from the improved productivity and efficiency that applications bring, having developers adopt a shift left approach, will build trust in these services.
Shifting left will see the integration of secure code training and automate continuous testing into the software development lifecycle (SDLC). This will lead to more ownership and empowerment from developers, providing an effective model to detect and fix security flaws within applications earlier, while providing a more cost-effective solution for the organisation.
We are at a critical stage in the digital renaissance and security has evolved. It is no longer just the security team’s problem but a wider technological concern that needs to be made a priority. Developers, when supported and incentivised, can help deliver applications that are more secure and, of a higher standard of work that will be more valued and in-demand. Ultimately, this will lead them to becoming one of the best security assets within any organisation.