Everyone working at a company has some responsibility for driving revenue and sales, employee and customer engagement, and taking security and compliance seriously. But there’s a problem with this theory for anyone who’s ever worked at a real-life company. The concept of “everyone” owning security quickly morphs into “no one” when accountability and executive-level support are absent. Factions are formed, people protect their turf and assumptions are made about who does what. When that happens, security begins to fall through the cracks.
It’s very true in the world of DevOps. In fact, Ponemon reports that 67 percent of application security (AppSec) professionals believe they are ultimately responsible for the security of software applications, compared to only 39 percent of developers who believe the same. Additionally, only 35 percent of developers feel application security risk has been increasing, compared to 60 percent of application security professionals. Most developers (63 percent) believe they take the quality of applications seriously, but they don’t seem to correlate delivering secure software with delivering quality software.
The cultural divide between AppSec and DevOps teams has emerged as an issue with critical organizational ramifications. Businesses put themselves at risk when these two sides don’t share a common vision for how they can deliver software to market quickly and securely. And it’s through the examination of this misalignment that companies can make progress towards a more federated approach to AppSec. By first accepting the divide, efforts to close it can truly begin.
A divided workplace
Organizations undergoing meaningful digital transformation continue to adopt DevOps methodologies to keep up with the consumer’s insatiable demand for applications and services. Culturally, DevOps focuses on the speed and agility of delivering software. AppSec, on the other hand, methodically checks software for vulnerabilities and potential risk. Two different goals results in two different cultures, a dynamic that leads to opposing objectives as well as incentives for developers and security teams. In fact, 77 percent of developers say this existing cultural divide affects their ability to meet deadlines, while 70 percent of AppSec professionals say it puts the security of applications at risk.
Like most conflicting situations, security and development teams both feel they’re misunderstood by the other side. Almost two-thirds of DevOps professionals say they are under growing pressure to deliver software faster and faster. AppSec teams don’t seem to recognize the pain of this pressure, as 56 percent feel DevOps teams are more concerned with pushing successful products out the door than they are interested in building secure applications from the start. AppSec teams also say developers are regularly publishing code with known vulnerabilities—a big no-no in the security world.
While these gaps emphasize obvious cultural differences, they also raise big questions about accountability and visibility. When the divide becomes this large, who’s in the critical position of determining the security of the software the world needs to get work done?
A widening gap
While AppSec and DevOps teams may never fully see eye-to-eye, they need to find a better way to work together as one effective and cohesive unit. Digital transformation puts pressure on organizations to develop applications at increasing speeds to keep up with the breakneck pace of modern innovation. Sixty-five percent of developers and 50 percent of AppSec professionals say they feel the pressure to develop applications faster than before digital transformation. But the question of how lingers.
Technology alone will not reduce the security risks caused by the cultural divide. To build a more federated approach, senior leaders need to address the concerns of both security and development. A majority of developers and AppSec practitioners believe that they need to addressing critical vulnerabilities in the early stages of the application development lifecycle. Building security right in from the start just makes sense.
Senior leaders can play a role in ensuring that sufficient resources are allocated to safeguard applications in the development and production phase of the software development life cycle (SDLC). They have the opportunity to lead by example, demonstrating across the board how the company should view security as a differentiator, not an obstacle to creativity and innovation. CISOs and security champions must talk the talk and clearly communicate how application security vulnerabilities pose a risk to the business in the same way as financial risk or physical risk.
At our company, we have embraced DevSecOps and the theory of continuous security testing that lets IT and security teams work together in pushing out safe, quality code. We’re one of the first companies to integrate security into the end-to-end development process by giving our customers a method for managing their existing security tools more effectively, orchestrating automated security tools to gain more benefit and value from the data they produce, and putting all that intelligence into a language that all stakeholders can understand. When everyone has this same continuous and consolidated view of risk to critical assets, it's easier to bridge the cultural divide.
Software security must become a priority, we can’t get this wrong. It will take more than just technology to get us to the right place—it will take strong relationships and mutual understanding. These may not sound like techy concepts, but people are a key impediment standing in the way of progress, ahead of tools. And once everyone realizes this cultural gap really exists between AppSec and DevOps, the first step toward change has already begun.
Christian van den Branden, senior vice president, engineering and product management, ZeroNorth