A Modern Day Love Story: Security and DevOps

Featured article by Amit Ashbel, director of product marketing and cyber security evangelist at application testing company Checkmarx

It’s a tale as old as time, the last person you ever thought you would love becomes the one person you can’t live without. Enter – software security and developer teams, did you see that one coming? While these teams may not always see eye to eye, one cannot succeed without support from the other.

For starters, it’s important to take a look at the differences between developers and security teams to better understand the complex relationship. Developers are on a constant time crunch to meet deadlines and code faster than ever before to make sure their product hits the market in a timely fashion. They are most concerned with how quickly an application can go to market, and the perceived time needed for security testing has caused security to be put on the backburner.

On the other hand, the primary role of the software security team is to assess application coding to identify any vulnerabilities that might exist and to make applications secure before they are released. A main concern from the security side is that there is often a lack of awareness amongst operations and developer teams surrounding high-risk coding processes. With endless codes and last minute edits – there is an increased risk of vulnerabilities.

While there are clear differences in the software security and developer relationship which can sometimes cause friction, they share a mutual goal of working together to improve product security in a time efficient and collaborative manner. Enter the DevOps revolution which has created an opportunity for security to be truly integrated into the software development lifecycle (SDLC).  This creates a flourishing, collaborative relationship known as “DeveSecOps.”

The purpose and intent of DevSecOps is to prioritize security for everyone involved in the application development process to create a more seamless working relationship. Altering the way security is integrated and how it supports the DevOps ecosystem is an ongoing struggle, but worthwhile in the end. As we all know, the most important part of a relationship is commitment, and commitment to security is needed from everyone within an organization, from board level members to the developers.

Outlined below are a few tips for those wondering how to better the relationship between software security teams and developers:

– Create a culture of both speed and security awareness: Being able to prioritize speed and innovation is important to any developer, but working closely with the security team to make applications safer is critical to enforce throughout the organization.

– Implement security onboarding procedures for the DevOps team: Regardless of the amount of experience a developer has, it’s important for every organization to provide security onboarding sessions for new employees. This includes secure coding tutorials along with outlining security tools, policies and procedures.

– Keep members of the board aware: It’s always a smart idea to make sure your board is up-to-date on the latest security and data breaches and how this can negatively impact a company. Security starts from the top down, so it’s key to have board members understand the value of security teams within their DevOps processes.

– Automate security testing: Another important piece of the DevSecOps puzzle is utilizing automation to cut down on error and to speed up repetitive processes to free up more of a developer’s time. The same goes for security – by enabling developers to test their own code for security issues, they’re able to receive real-time results and remediate any problems on the spot.

Overall, the software security and developer relationship will have bumps in the road just like any other love affair, but when the two are able to work closely together in unison it creates a secure and enjoyable product. There is always a place for security in the heart of DevOps teams, it’s just takes a little give and take on behalf of both groups to achieve a mutually beneficial outcome.

Author Bio: Amit has been with the security community for over a decade where he has taken on multiple tasks and responsibilities, including technical positions and senior product lead positions. Amit has experience with a wide range of security solutions including network, endpoint, fraud detection, and application security. This, in addition to his familiarity with emerging threats, allows him to address multiple aspects of an organization’s security portfolio while constantly studying how organizations can adapt to the ever changing landscape. Amit speaks at high profile events and conferences such as Blackhat, Defcon, OWASP, and others.