Having security and operations together in the development pipeline, when executed properly, should create a collaborative feedback loop between development operations and security teams. But that feedback loop is often incomplete when the various people, processes and technological challenges hinder collaboration.
The feedback loop is something that is challenging for all aspects of software development, said Shannon Lietz, who led DevSecOps at Intuit until June, when she transitioned to Adobe to lead the company's Vulnerability Labs.
In particular, security has been largely absent of the process since the 1970s, with software instead judged on factors like availability and performance.
“Most of the telemetry out there doesn’t necessarily take into consideration what is the security use case — it’s always an 'edge case' or an 'abuse case' of some sort,” Lietz told SC Media’s Deputy Editor Bradley Barth during a spring virtual conference.
Among the challenges to integrating security more effectively is tied to the language members of each team use to communicate with one another.
“You could watch and listen to a developer talk to a security professional and quite often they're talking past each other,” Lietz explained. “A security professional brings the notion of things like cross-site scripting, all these different attacks to the forum. A developer brings the notion of performance scalability, how they actually write the software.
“So those conversations get quite muddled on a day-to-day basis,” she continued. “That context alone can be quite challenging — it can create friction and distrust. And that's actually something that undoes the ultimate goal, which is to have software safer sooner.”
What will move the needle most in terms of fixing a feedback loop between developers and security, is people, Lietz said.
“Ultimately, developers have the ability to get a better feedback loop, but they also have to be part of that translation,” said Lietz. “And I think it's true in the other direction, as well.”