A discussion of the continued need for security professionals and developers to work together on project, i.e. ‘shift left,’ and inculcate a DevSecOps mindset.
The days of security and development working side by side in separate silos are over. With the DevOps-induced security «shift left,» security testing now falls in the realm of the developer, and leaves security in more of an enabling, rather than enforcing, role. And this new role requires a new understanding of developer priorities and processes. The security function cannot be effective in a DevSecOps world without a thorough grasp of how developers work, the tools they use, the challenges they face and how security fits into this picture.
In a DevSecOps environment, developers own the testing of applications in their development environment, fixing flaws to pass policy, and continuing to build code. Security owns setting policies, tracking KPIs, and providing security coaching to developers. In addition, security is responsible for providing developers with support in integrating scalable tools like Veracode into their SDLC.
With the traditional security role of running scans on completed code and passing back reports to developers, a lack of understanding of the developer function wasn’t necessarily a show-stopper. But security’s new role does require this understanding — without it, security professionals simply won’t be effective and will get left behind as the pace of development continues to accelerate.
Security needs to understand developer processes in order to best integrate security into development workflows. In addition, developers can’t fix every flaw at the same time, so security needs to be pragmatic, be aware of development’s priorities and bandwidth, and help them prioritize the tasks and the timelines.
And we are already seeing good progress on this shift. Veracode recently conducted a survey of 400 IT pros who are involved with application security, and 58 percent of respondents indicated that application development and security teams collaborate to prioritize security defects based on the likelihood of exploitation, and 45 percent said that the security team regularly participates in Daily Scrums and planning meetings. We’re clearly moving in the right direction, but we’ve got more to do.
Security teams must commit to understanding developer tools, processes, and pains. How to commit? Start by:
What is your experience with the shifting roles of DevSecOps? Are your security and development teams working more closely?
