Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Application Security

5/20/2021
05:55 PM
50%
50%

Dev-Sec Disconnect Undermines Secure Coding Efforts

Rather than continue to complain about each other, developers and security pros need to work together and celebrate their successes.

RSA CONFERENCE 2021 — The disconnect between security teams and development teams continues to cause problems for companies' efforts to secure software and their infrastructure, a security consultant told attendees during a virtual session at the RSA Conference.

Chris Romeo, CEO of training provider Security Journey, argued that companies are undermining their application security initiatives by not making more efforts to break down the walls between developers, security, and operations. A central problem is that many security professionals are not coders and do not understand their incentives and motivations. Meanwhile, developers see security as busy work and say that application security tools produce a high number of false positives.

Related Content:

More Companies Adopting DevOps & Agile for Security

Special Report: Assessing Cybersecurity Risk in Today's Enterprises

New From The Edge: Don't Let Scary Headlines Shape Your Company's Cyber-Resilience Strategy

Romeo called this tension between developers and security "the dev-sec disconnect," and it's when developers and security professionals see the other as the enemy, not as a partner.

"As a developer, I'm sitting here thinking to myself, 'These security people are always in the way, they are always slowing me down, they have arbitrary requirements, [and] they can't make up their mind [when] we need to push these new features into production,'" he said. "On the other side of the coin, security is saying, 'These developers, they are lazy, they are not applying the guidance we are providing, ... [and] their code is insecure."

DevOps and agile programming have become most companies' approach to application development, according to 68% of companies in a recent survey conducted by GitLab, a DevOps service provider. The survey found the majority of developers — 71% — consider security to either be their responsibility or a shared responsibility with another group. 

Yet developers and security teams still need to improve how they work together, Security Journey's Romeo said. Security teams frequently mandate rather than advise, and a lack of a detailed security process tends to convince many developers that security decisions are arbitrary and always hindering their job, he told attendees.

Instead, companies need to celebrate the successes as much as spotlight security problems, he said.

"By celebrating security wins, we can make security good for our developers and not consistently negative," he said. "It is not that difficult of a thing to do, but often developers only hear about how the sky is always falling."

Among the advice that Romeo has for security teams and companies intent on improving their application security programs: Tune the tools to reduce false positives, work together to determine the right amount of resources to dedicate to security needs, educate developers about security, and also educate security professionals about development.

"We always start with the what or the how ... we don't step back and say, 'Here's why you need to do that,'" he said. "Help the project-adjacent folks to understand why security is important for your customers. Not you as a security team, not for your executives, not for some other group inside your companies, but for your customers."

Part of that is creating metrics for security return on investment. One important metric, for example, is to track the rework required to fix bugs that have a security component to them, Romeo says. 

Another major recommendation: Make sure both security professionals and developers know that they need to partner for the business to succeed, not declare one as the gatekeeper. Guardrails are fine, but developers need room to maneuver, he said.

"We have guard rails to protect us from going off the side of the mountain," Romeo said. "They don't work if they are only two inches from your car and give you no room to maneuver. Security guardrails need to give you some freedom around the development process."

While Romeo sees the disconnect between security workers and developers as a continuing problem, the GitLab survey released earlier this month spotlighted some hopeful trends. While security and application testing continues to be a headache for developers — with 40% of developers concerned that it takes place too late in the development pipeline — 72% of developers considered their organizations' security to be either good or strong, 13 points higher than the previous year. 

About 43% of the survey's respondents deploy software at least once a week, the survey found.

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
Edge-DRsplash-10-edge-articles
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
News
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
Commentary
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-27491
PUBLISHED: 2021-07-30
Ypsomed mylife Cloud, mylife Mobile Application:Ypsomed mylife Cloud,All versions prior to 1.7.2,Ypsomed mylife App,All versions prior to 1.7.5,The Ypsomed mylife Cloud discloses password hashes during the registration process.
CVE-2021-27495
PUBLISHED: 2021-07-30
Ypsomed mylife Cloud, mylife Mobile Application:Ypsomed mylife Cloud,All versions prior to 1.7.2,Ypsomed mylife App,All versions prior to 1.7.5,he Ypsomed mylife Cloud reflects the user password during the login process after redirecting the user from a HTTPS endpoint to a HTTP endpoint.
CVE-2021-32807
PUBLISHED: 2021-07-30
The module `AccessControl` defines security policies for Python code used in restricted code within Zope applications. Restricted code is any code that resides in Zope's object database, such as the contents of `Script (Python)` objects. The policies defined in `AccessControl` severely restrict acce...
CVE-2021-22521
PUBLISHED: 2021-07-30
A privileged escalation vulnerability has been identified in Micro Focus ZENworks Configuration Management, affecting version 2020 Update 1 and all prior versions. The vulnerability could be exploited to gain unauthorized system privileges.
CVE-2021-34629
PUBLISHED: 2021-07-30
The SendGrid WordPress plugin is vulnerable to authorization bypass via the get_ajax_statistics function found in the ~/lib/class-sendgrid-statistics.php file which allows authenticated users to export statistic for a WordPress multi-site main site, in versions up to and including 1.11.8.