The No. 1 hurdle between security teams and developers working on a product is an inherent lack of trust, said Larry Maccherone.
Maccherone, who led DevSecOps transformation at Comcast until recently, explained how to ensure developers incorporate security into their work without diminishing creativity and innovation with SC Media Editor in Chief Jill Aitoro during an SC Media virtual conference.
To win developers’ hearts and minds, security teams need to use language and definitions that put the developers front and center. “Those who say ‘SecDevOps, the security comes first’ — they’re just wrong; the security does not come first,” Maccherone said. “If you don’t have a product that delights customers — that has customers — you don’t need any security, right? If nobody’s using the thing, there’s nothing to secure.”
If security teams want developers to pay attention to vulnerabilities they find, then they must give that feedback shortly after the developers wrote the code, when they are most invested, Maccherone said. And the best time for that is during a process called the “pull request,” where a developer’s code is sent to be validated and a reviewer says the code is good enough to advance to the next level. If security is added to the list of things that needs approval before it can advance, said Maccherone. Then the developer will jump through hoops to fix any problems in their code.
Maccherone said security teams also need to understand they’re not the gatekeepers or auditors of a product, but rather they are advisers and consultants helping developers with security.
Maccherone said he thinks a lot more needs to be done for the industry to adopt an agile approach to software development.
“I don’t think we’re even halfway there on DevOps, and DevSecOps follows that.”
