4 ways Security and DevOps can collaborate to reduce application vulnerabilities
The DevOps phenomena has helped businesses build and release applications at scale, however security considerations are often left behind in the speed of agile development creating gaps in security and increasing application risks. The gold standard of application security - DevSecOps emphasizes the need for better collaboration and continuous integration between development, operations, and security.
But bringing DevOps and SecOps together requires significant cultural shift, developer buy in and implementation of a host of automated security tools in the CI/CD pipeline. Let’s look at why so many companies are finding it hard and our top tips for getting there.
DevOps are from Mars, SecOps are from Venus
Given the crucial role developers play in driving business initiatives, the solution is simply for them to step up to the task and start working with security to keep application vulnerabilities at bay and avoid costly data breach. That makes sense… right?
Unfortunately, the problem lies in the misalignment between DevOps and SecOps.
Whilst developers are told to be more security minded, their day-to-day experiences tell a different story. In GitLab's "2019 Global DevSecOps Report", which surveyed 4,000 software professionals, nearly 44% of the developers surveyed reported that they are not judged on their security vulnerabilities. Instead, managers focus on metrics like the number of closed tickets and deployments, their ability to pick up new tasks or cover new items during a standup, adding to the pressure to deliver fast results for the business. Developers learn that ‘more is best’. The faster you code, the quicker you test and more frequently you publish, the better you’re doing.
On the other hand, SecOps are tasked with protecting the organization with sufficient security controlling and keeping up with compliance standards whilst demonstrating a reduction in security threats, with little regard for speed unless a data breach or security incident has occurred.
Whilst we universally acknowledge the power developers have in the development environment, a gap remains between these conflicting priorities and ensuring developers are in a position to wield it and have the correct security tools to empower them do so.
Four ways to help prioritize security in application development
1. Change the culture from the top down
According to a recent ESG research report, almost half (48%) of organizations regularly push vulnerable code, and they know it, which is a very worrying statistic for security folks. Shipping vulnerable code tells developers that what matters is volume and speed, not the quality of code. We need to change the attitude towards security vulnerabilities. Let’s move from damage control to prevention from the start, so there is never a reason to go to war on security threats.
Senior management needs to take a stand against shipping any vulnerabilities in their product, paying more attention to development. Development managers should be given this as a remit, and they in turn should revise their development team metrics and reward changes in behavior. A clear signal from the top down will help developers know how to set their priorities and focus on security.
2. Recognize developers as key players, rather than as an existential threat
Developers shouldn’t be seen as the enemy or weakest link. They have an intricate understanding of the software they create and are passionate about the work they do. No one enjoys being accused of making mistakes and neither do they, especially when they haven’t really been trained to handle these issues and they can become to feel demotivated and mistreated leading to staff churn.
Give developers a seat at the table and ask for their recommendations on new processes and allow them to feed into new security plans. When choosing the right security tools for the job, developers needs often take second fiddle to other criteria and budgets. When SecOps buy tools that don’t speak to their needs, it leads to a drop in developer adoption. In cases where the security tools identify vulnerabilities, developers are often unequipped to handle these issues, making the tools redundant.
Source: White Source3. Put your money where your mouth is and keep developers engaged
In 2019 Forrester Research reported that of 40 university computer science programs it surveyed across the U.S., not one required students to take courses in secure coding or secure application design. And this data is not unique to the US alone. As developers settle into working life, their limited exposure to secure coding continues. According to GitLab’s 2019 DevSecOps report, 70% of developers said that while they are expected to write secure code, they get little guidance or help.
Invest in security training to give your developers a fighting chance of taking on those pesky vulnerabilities. For developers to thrive and engage in writing secure code, they need regular access to hands-on learning that actively encourages them to learn and build their skills in a real environment. They need to learn about recently identified software vulnerabilities, in real code, and be able to work in their own languages/frameworks.
Developers are creative individuals with a competitive streak and are less likely to learn from formal training and classroom style learning. As our recent research demonstrates, the majority of our customers expressed they have changed up their secure coding training from existing corporate style training for DevOps as it wasn’t interactive and engaging enough to achieve the best results:
Pitching them against each other through real hacking scenarios is what helps them learn and stay motivated to be able to spot issues in application code and bringing these skills to their actual work.
4. Turn your ‘liability’ into your biggest strength
In order for a restaurant to serve up a great meal, their strive for quality starts from carefully selecting the ingredients, to diligently putting the meal together, rather than giving the meal a quick once over before it goes to the customer. Application security needs the same level of attention and this can be beneficial in the sales cycle to win new business as clients have maximum trust in your product and developers.
The benefits of making developers part of the AppSec story and shift left is huge and makes good business sense. There’ll never be as many security professionals as developers and it’s a lot easier and more efficient to teach developers to code with a security mindset than it is to recruit enough security professionals to dig into your code.
It’s best to integrate secure code training and automate continuous testing into your SDLC cycle, whereby your developers feel more ownership and empowered to spot security flaws and take responsibility as vulnerabilities are flagged early in development for them to fix, before moving onto the next stage and avoiding the need for slow and expensive manual checks.
By ensuring your developers are supported, equipped, and incentivized to tackle security, you can make developers your best security asset. Check out Secure Code Warrior’s 'Fast Guide' for advice on how to level up your software development teams security skills in 3 steps.