RSA CONFERENCE 2021 — The disconnect between security teams and development teams continues to cause problems for companies' efforts to secure software and their infrastructure, a security consultant told attendees during a virtual session at the RSA Conference.
Chris Romeo, CEO of training provider Security Journey, argued that companies are undermining their application security initiatives by not making more efforts to break down the walls between developers, security, and operations. A central problem is that many security professionals are not coders and do not understand their incentives and motivations. Meanwhile, developers see security as busy work and say that application security tools produce a high number of false positives.
Romeo called this tension between developers and security "the dev-sec disconnect," and it's when developers and security professionals see the other as the enemy, not as a partner.
"As a developer, I'm sitting here thinking to myself, 'These security people are always in the way, they are always slowing me down, they have arbitrary requirements, [and] they can't make up their mind [when] we need to push these new features into production,'" he said. "On the other side of the coin, security is saying, 'These developers, they are lazy, they are not applying the guidance we are providing, ... [and] their code is insecure."
DevOps and agile programming have become most companies' approach to application development, according to 68% of companies in a recent survey conducted by GitLab, a DevOps service provider. The survey found the majority of developers — 71% — consider security to either be their responsibility or a shared responsibility with another group.
Yet developers and security teams still need to improve how they work together, Security Journey's Romeo said. Security teams frequently mandate rather than advise, and a lack of a detailed security process tends to convince many developers that security decisions are arbitrary and always hindering their job, he told attendees.
Instead, companies need to celebrate the successes as much as spotlight security problems, he said.
"By celebrating security wins, we can make security good for our developers and not consistently negative," he said. "It is not that difficult of a thing to do, but often developers only hear about how the sky is always falling."
Among the advice that Romeo has for security teams and companies intent on improving their application security programs: Tune the tools to reduce false positives, work together to determine the right amount of resources to dedicate to security needs, educate developers about security, and also educate security professionals about development.
"We always start with the what or the how ... we don't step back and say, 'Here's why you need to do that,'" he said. "Help the project-adjacent folks to understand why security is important for your customers. Not you as a security team, not for your executives, not for some other group inside your companies, but for your customers."
Part of that is creating metrics for security return on investment. One important metric, for example, is to track the rework required to fix bugs that have a security component to them, Romeo says.
Another major recommendation: Make sure both security professionals and developers know that they need to partner for the business to succeed, not declare one as the gatekeeper. Guardrails are fine, but developers need room to maneuver, he said.
"We have guard rails to protect us from going off the side of the mountain," Romeo said. "They don't work if they are only two inches from your car and give you no room to maneuver. Security guardrails need to give you some freedom around the development process."
While Romeo sees the disconnect between security workers and developers as a continuing problem, the GitLab survey released earlier this month spotlighted some hopeful trends. While security and application testing continues to be a headache for developers — with 40% of developers concerned that it takes place too late in the development pipeline — 72% of developers considered their organizations' security to be either good or strong, 13 points higher than the previous year.
About 43% of the survey's respondents deploy software at least once a week, the survey found.