How to Improve Collaboration Between Developers and Security Professionals

Jim Rutt
December 9, 2022

The rise in cloud companies over the last few years has seen a rapid increase in architectural changes, making it challenging to manage application and infrastructure security while keeping pace with the product and engineering teams. It is integral for security practitioners to have a healthy relationship with the engineering teams to resolve risk issues effectively.

Development methods have a long history of evolution from Waterfall to Agile, and now from DevOps to DevSecOps, prioritizing speed and innovation. And while reducing friction from conventional manual efforts, the ultimate goal of DevSecOps has been having security ‘baked in’ rather than ‘sprayed on afterwards.’ 

Apart from proactively pushing for the seamless collaboration of operations and software development, the primary focus of DevSecOps is to define and address security frameworks.

Key DevSecOps principles

Here are some key DevSecOps principles to help implement these aspects:

1. Using data science for empirical evaluation and implementation of developer best practices for more transparency.

2. Prioritizing immersive and seamless collaboration amongst teams instead of a strict separation of roles.

3. Valuing Exploit Testing that provides actionable results instead of trusting vanity metrics like arbitrary scans and vulnerability rankings.

4. Minimizing security incidents by shifting the organizational approach to being proactive/predictive with regard to incidents instead of just reacting.

5. Facilitating a cooperative shared threat intelligence instead of individually hoarding silos of knowledge.

6. Transitioning to compliance operations in place of checklist methods.

How friction happens between security teams and developers

The disruptive nature of security updates, especially when it comes to transitive vulnerabilities, creates a chaotic environment that strains the relationship between security teams and developers.

The current Dev scenario is plagued with a huge amount of artifact sprawl, and a tremendous amount of constantly changing containers like Function-as-a-Service (FaaS), etc. This makes it challenging to get an accurate baseline and understand risk profiles.

The constant changes to tooling make it difficult to address the gaps and overlaps in tooling functions.

Sometimes, the security practitioner doesn’t have a SecOps perspective and favors a developer-first approach, which makes it difficult to implement SecOps best practices.

A lack of standard communication protocol between SecOps and DevOps can make implementing coordinated security practices a challenge.

How can you improve collaboration?

Nurturing a balance between Dev and Security

With DevSecOps, developers are empowered to resolve the security problems affecting their team, as engineering teams are starting to embed the best practices of security practitioners, evolving into security champions. As developer metrics have begun incorporating risk management variables, security professionals and developers are starting to speak the same language.

Coming up with a well-documented standardized testing practice

This helps streamline the testing procedure when faced with the disruptive nature of numerous security updates, helping security professionals and developers to be on the same page.

Preventing artifact sprawl 

A consistent method of templating different containers helps developers and security professionals enjoy a sense of continuity in a constantly changing DevOps environment.

Iteratively checking tool gaps

It is important to ensure that there are no tool gaps or feature overlaps so that the process of tool adoption is simplified.

Hiring SecOps security champions

It is essential to nurture security champions who are sensitive to the security responsibilities that are intangibly tied to a developer’s duties and are trained to perform triages and threat modeling.

Metrics to measure the effectiveness of a DevSecOps process

While we cannot measure a DevSecOps process efficiency, we can measure the reduction in the code release time alongside the time taken by the security champion to learn the tools, triage the false positives, and the number of vulnerabilities being managed by them.

Ushering DevOps and SecOps toward a collaborative future

Though there has been a lot of friction in the past, the growing realization to bridge the gap between developers and security professionals makes it easy to envisage swift, seamless, and streamlined efforts to create more secure applications.  

CIO/CISO at The Dana Foundation