Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Application Security

5/20/2021
05:55 PM
50%
50%

Dev-Sec Disconnect Undermines Secure Coding Efforts

Rather than continue to complain about each other, developers and security pros need to work together and celebrate their successes.

RSA CONFERENCE 2021 — The disconnect between security teams and development teams continues to cause problems for companies' efforts to secure software and their infrastructure, a security consultant told attendees during a virtual session at the RSA Conference.

Chris Romeo, CEO of training provider Security Journey, argued that companies are undermining their application security initiatives by not making more efforts to break down the walls between developers, security, and operations. A central problem is that many security professionals are not coders and do not understand their incentives and motivations. Meanwhile, developers see security as busy work and say that application security tools produce a high number of false positives.

Related Content:

More Companies Adopting DevOps & Agile for Security

Special Report: Assessing Cybersecurity Risk in Today's Enterprises

New From The Edge: Don't Let Scary Headlines Shape Your Company's Cyber-Resilience Strategy

Romeo called this tension between developers and security "the dev-sec disconnect," and it's when developers and security professionals see the other as the enemy, not as a partner.

"As a developer, I'm sitting here thinking to myself, 'These security people are always in the way, they are always slowing me down, they have arbitrary requirements, [and] they can't make up their mind [when] we need to push these new features into production,'" he said. "On the other side of the coin, security is saying, 'These developers, they are lazy, they are not applying the guidance we are providing, ... [and] their code is insecure."

DevOps and agile programming have become most companies' approach to application development, according to 68% of companies in a recent survey conducted by GitLab, a DevOps service provider. The survey found the majority of developers — 71% — consider security to either be their responsibility or a shared responsibility with another group. 

Yet developers and security teams still need to improve how they work together, Security Journey's Romeo said. Security teams frequently mandate rather than advise, and a lack of a detailed security process tends to convince many developers that security decisions are arbitrary and always hindering their job, he told attendees.

Instead, companies need to celebrate the successes as much as spotlight security problems, he said.

"By celebrating security wins, we can make security good for our developers and not consistently negative," he said. "It is not that difficult of a thing to do, but often developers only hear about how the sky is always falling."

Among the advice that Romeo has for security teams and companies intent on improving their application security programs: Tune the tools to reduce false positives, work together to determine the right amount of resources to dedicate to security needs, educate developers about security, and also educate security professionals about development.

"We always start with the what or the how ... we don't step back and say, 'Here's why you need to do that,'" he said. "Help the project-adjacent folks to understand why security is important for your customers. Not you as a security team, not for your executives, not for some other group inside your companies, but for your customers."

Part of that is creating metrics for security return on investment. One important metric, for example, is to track the rework required to fix bugs that have a security component to them, Romeo says. 

Another major recommendation: Make sure both security professionals and developers know that they need to partner for the business to succeed, not declare one as the gatekeeper. Guardrails are fine, but developers need room to maneuver, he said.

"We have guard rails to protect us from going off the side of the mountain," Romeo said. "They don't work if they are only two inches from your car and give you no room to maneuver. Security guardrails need to give you some freedom around the development process."

While Romeo sees the disconnect between security workers and developers as a continuing problem, the GitLab survey released earlier this month spotlighted some hopeful trends. While security and application testing continues to be a headache for developers — with 40% of developers concerned that it takes place too late in the development pipeline — 72% of developers considered their organizations' security to be either good or strong, 13 points higher than the previous year. 

About 43% of the survey's respondents deploy software at least once a week, the survey found.

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Commentary
Ransomware Is Not the Problem
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  6/9/2021
Edge-DRsplash-11-edge-ask-the-experts
How Can I Test the Security of My Home-Office Employees' Routers?
John Bock, Senior Research Scientist,  6/7/2021
News
New Ransomware Group Claiming Connection to REvil Gang Surfaces
Jai Vijayan, Contributing Writer,  6/10/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-20027
PUBLISHED: 2021-06-14
A buffer overflow vulnerability in SonicOS allows a remote attacker to cause a Denial of Service (DoS) by sending a specially crafted request. This vulnerability affects SonicOS Gen5, Gen6, Gen7 platforms, and SonicOSv virtual firewalls.
CVE-2021-32684
PUBLISHED: 2021-06-14
magento-scripts contains scripts and configuration used by Create Magento App, a zero-configuration tool-chain which allows one to deploy Magento 2. In versions 1.5.1 and 1.5.2, after changing the function from synchronous to asynchronous there wasn't implemented handler in the start, stop, exec, an...
CVE-2021-34693
PUBLISHED: 2021-06-14
net/can/bcm.c in the Linux kernel through 5.12.10 allows local users to obtain sensitive information from kernel stack memory because parts of a data structure are uninitialized.
CVE-2021-27887
PUBLISHED: 2021-06-14
Cross-site Scripting (XSS) vulnerability in the main dashboard of Ellipse APM versions allows an authenticated user or integrated application to inject malicious data into the application that can then be executed in a victim’s browser. This issue affects: Hitachi ABB Power Grids ...
CVE-2021-27196
PUBLISHED: 2021-06-14
Improper Input Validation vulnerability in Hitachi ABB Power Grids Relion 670 Series, Relion 670/650 Series, Relion 670/650/SAM600-IO, Relion 650, REB500, RTU500 Series, FOX615 (TEGO1), MSM, GMS600, PWC600 allows an attacker with access to the IEC 61850 network with knowledge of how to reproduce the...