Security is an essential and inevitable part of every software application. But too often, it gets overlooked and shuffled to the bottom of a project’s to-do list.
Engineers tend to view security as a hassle or roadblock in the product development life cycle. In fact, 52% of developers believe security policies are a barrier to innovation. One of the ideal ways to bridge this gap is to streamline the collaboration between security teams and developers.
Strengthening the relationship between these two teams allows us to build better software, and paves the way to transitioning from DevOps to DevSecOps. It’s all about fostering relationships, and that starts with building understanding and trust with each other.
It also involves undergoing a perspective shift. Rather than seeing security as the team that only slides in to fix data breaches, or hinders innovation, we must ingrain it across all processes and technologies, including people. And as security folks, there are a few things we can do to help.
Six key security values to help bridge the gap
At Medly, we developed a list of core values for our platform security team to live by, inspired by a report by Zane Lackey and Rebecca Huehls, and a talk by Eric Brandwine that both explored building a more collaborative security culture. Our core values act as a set of guidelines for security folks when making decisions and interacting with engineering.
Sharing these values with development teams, and asking them to hold us accountable for them, has created more clarity and allowed us to bring the two teams together to achieve our shared goals. Now I’m sharing our six core values in the hope they can help other security teams to build better relationships with engineering:
1. Practice empathy
Empathize with the engineering teams. Everybody is here to make sure the organization succeeds. They’re delivering outcomes to the best of their abilities and knowledge. Don’t take away people’s ability to do their jobs. Don’t break their workflows unless absolutely required.
Make sure you never make snarky comments. People rarely make security mistakes intentionally. Most of the time it’s because they don’t understand the security implications of their decisions. It’s our job to help them understand and learn from their mistakes.
2. Make realistic tradeoffs
Security shouldn’t get in the way of product delivery. Delivery at speed needs security at speed. Choose solutions that take the product forward in a secure way without blocking the product release. For example, don’t block the release because not all security issues are fixed. Instead, explain why fixing those vulnerabilities before going live matters and help businesses make a decision.
Not all security issues are a high priority. Highlight the vulnerabilities that need immediate attention. Attackers have budgets and bosses too.
3. Establish credibility
Trust is difficult to earn but easy to lose. Build trust with the product teams by giving them correct solutions and explaining trade-offs. Make sure people believe that when you say something, it actually does need to be fixed.
Take the false-positive hit yourself. Every issue coming from a security tool should undergo investigation by the security team first so that only genuine issues make it to the product teams.
Don’t fear saying, ‘I don’t know, but let’s figure it out together’. And communicate status and decisions in an open, transparent, and timely manner.
4. Become enablers of security than owners of security
Enable product teams to take care of the product security on their own by helping them set up tools and adopt secure practices. Work with the teams to choose the correct tools which suit their workflow. Make product teams self-sufficient and yourself redundant. Provide guidance, not checklists. Prefer continuous security over pen-testing.
5. Reward good security practices
The idea behind rewarding good security practices is to ensure you motivate the right behaviors. Create a reward-based security culture that can help identify and fix security vulnerabilities proactively at the initial stages. Whenever somebody reports a vulnerability or asks a curious question about security, reward them by publicly acknowledging their interest in security and keeping the organization safe.
6. Make helping people who ask for it the highest priority
In a sea of overwhelming priorities, ensure that you first cater to those who ask for help. If we, as security managers, turn a blind eye to those needing assistance with security, the other folks on our team will also.
Reflections
We cannot bolt on security at the last stage. Rather, it needs to be baked into the development process from beginning to end. By abiding by these core values, we can ensure smooth and secure operations between the two teams. Transforming to DevSecOps is an extensive process that doesn’t happen overnight but establishing these security values is a great first step towards reaching the goal.