Dev vs Sec – Who's Responsible For The Ops?
The rapid shift to digital and the scramble to fix security issues in this increasingly dynamic world have increased the friction between developers and security teams at many organizations.
To maintain a secure and stable environment, security leaders must start taking the right steps to reduce this friction and avoid a significant negative impact on development efficiency and business success.
Our second episode of Let’s Talk AppSecOps Season 1 explores the sometimes rocky relationship between Dev and Sec teams, and discusses practical solutions for improving collaboration between them.
The #1 gray area in AppSecOps
The State of AppSecOps 2022 report discovered that eliminating developer friction is one of the three biggest priorities for security leaders. Unfortunately, a major contributing factor to this increasing friction is the frequent back-and-forth of security-related tasks—especially when it comes to infrastructure-as-code.
“Our security teams are focused on managing and mitigating business risks, while development teams are focused on delivering as much functionality to the market as possible. These two aspects don’t necessarily mesh every time, and create friction,” says Mark.
The result? Development and security professionals are always pointing fingers, as they struggle to determine who is responsible for ensuring the security of the infrastructure.
Taking a step towards the solution
To overcome this friction and promote positive collaboration between security and development teams, security leaders must take a different approach.
Enter the security liaison
Converting security teams into coaches, or starting a security liaison program, can be a great first step. A security champion or liaison can educate developers on why security affects the project, explain security best practices, and more, to help them avoid common errors while writing code.
The focus also needs to be on “more carrot, less stick” tactics, such as incentivizing opportunities for the development team to work in a more secure, motivated manner. For instance, this could be through recognition for those who have taken proactive steps to improve the security of their code, or by offering training and education programs to help developers better understand security concerns.
Understanding developer hardships
Moreover, security leaders need to better understand the expectations and environments that their developers face. This requires a deep understanding of the development process and the tools and technologies used by the development team. By better understanding the systems with which developers work, security teams can better align to their workflows and tooling, which can greatly reduce friction.
For example, security leaders should be aware of the challenges faced by developers in terms of time constraints and limited resources, and they should be able to provide solutions that help mitigate these challenges.
Conclusion
Zero developer friction is the secret sauce to a productive and efficient working environment in cybersecurity. However, it isn’t an easy route, and requires a combination of communication, collaboration, and the use of the right tools and technologies.
By taking the time to understand what the development team needs, and finding ways to minimize friction points, security leaders can create an enjoyable and productive experience for both dev and sec professionals.
Learn more about how to reduce developer friction by watching Let’s Talk AppSecOps.
