This article addresses what both developers and the security side need to keep in mind about each other to make DevSecOps really work for software development.
But getting these two teams to understand each other’s “language” is no easy feat. In the same report, Forrester Research explains, “Security has its own array of terminology and acronyms that are foreign to developers, I&O pros, and line-of-business managers. And each of those disciplines speaks its own language that’s equally foreign to the security team. As a result, when these teams try to communicate, it’s often unproductive, frustrating, and contentious. This language issue sustains isolation with little hope for resolution.” Here are a few tips to start breaking down these barriers and speaking the same language:
As our Director of Developer Engagement, Pete Chestna, recently noted, “Finding a developer trained in cybersecurity is like finding a needle in a haystack.” Overcome this impossible task with the creation of “security champions” on the dev team. Development managers should identify members of their team who are not necessarily trained in security, but show an interest in the subject. Again, Pete Chestna recommends identifying these champions with questions like, “Do they like to hack or reverse engineer devices, code, and systems? Have they ever participated in a bug bounty program or found a vulnerability? Do they follow security news and thought leaders? Do they participate in hacker culture, watching shows like ‘Mr. Robot’ and attending hackathons?”
Then what do you do with these people? Make them security champions who reduce culture conflict between development and security, help other developers by performing code reviews, and act as the security conscience of the team. They hold feet to the fire to make security a priority during planning and pre-production.
Watch this video to learn more about security champions.
In a DevSecOps environment, developers own the testing of applications in their development environment, fixing flaws to pass policy and continuing to build code. Security, on the other hand, owns setting policies, tracking KPIs and providing security coaching to developers. In addition, security is responsible for providing developers with support in integrating scalable AppSec tools into their SDLC.
In turn, the security function cannot be effective in a DevSecOps world without a thorough grasp of how developers work, the tools they use, the challenges they face and how security fits into this picture.
Bump up your development knowledge by:
