It’s a common conundrum for application security (AppSec) teams…how can developers and security professionals work together to release software faster? It takes a working relationship, good communication, and the right tools, which most teams don’t have.
Even more discouraging, stigmas follow both teams around the office; developers often worry that security is there to slow down or halt their projects while security is concerned that developers aren’t prioritizing secure code. As modern software development becomes faster with tighter deadlines and an array of cyberthreats awaiting vulnerable code, there’s little room for misalignment.
It’s a multifaceted issue that should be understood from both angles. Misaligned business priorities and processes can create an array of problems, from a lack of innovation for fear of increased risk to unforeseen vulnerabilities falling through the cracks during the development process. And when developers aren’t empowered to improve their skills with educational tools like Security Labs, there’s less of a chance that they’ll feel prepared or appreciated when security comes knocking.
To begin addressing these concerns, changes must come from the top-down, trickling through each team to impact their goals and methods for an overall healthier AppSec program. When they have direction, developers and security leaders can find a common ground by building a working relationship that benefits both teams (and ultimately, the entire organization). Three key steps to fixing the misalignment between security and development include:
- Shifting to a security-focused mindset across the business.
- Implementing a security champions program to encourage developer participation.
- Making it easier for the development team to write secure code.
Once security leaders understand the tools and methodologies developers are most comfortable with, and developers have the opportunity to learn more about security practices, closing the gap between these two otherwise siloed teams isn’t as daunting. With the right tools, processes, and communication methods in place, security and development will have an easier time falling into the right working cadence to produce more secure applications.
Watch our video "Tips for Unifying the Security Professional and Developer Roles" below to hear from Veracode’s Chief Technical Officer Chris Wysopal and Chief Product Officer Ian McLeod on how these roles became misaligned, and how organizations can tackle the problem head-on.