Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Application Security

Dev-Sec Disconnect Undermines Secure Coding Efforts

Rather than continue to complain about each other, developers and security pros need to work together and celebrate their successes.

RSA CONFERENCE 2021 — The disconnect between security teams and development teams continues to cause problems for companies' efforts to secure software and their infrastructure, a security consultant told attendees during a virtual session at the RSA Conference.

Chris Romeo, CEO of training provider Security Journey, argued that companies are undermining their application security initiatives by not making more efforts to break down the walls between developers, security, and operations. A central problem is that many security professionals are not coders and do not understand their incentives and motivations. Meanwhile, developers see security as busy work and say that application security tools produce a high number of false positives.

Related Content:

More Companies Adopting DevOps & Agile for Security

Special Report: Assessing Cybersecurity Risk in Today's Enterprises

New From The Edge: Don't Let Scary Headlines Shape Your Company's Cyber-Resilience Strategy

Romeo called this tension between developers and security "the dev-sec disconnect," and it's when developers and security professionals see the other as the enemy, not as a partner.

"As a developer, I'm sitting here thinking to myself, 'These security people are always in the way, they are always slowing me down, they have arbitrary requirements, [and] they can't make up their mind [when] we need to push these new features into production,'" he said. "On the other side of the coin, security is saying, 'These developers, they are lazy, they are not applying the guidance we are providing, ... [and] their code is insecure."

DevOps and agile programming have become most companies' approach to application development, according to 68% of companies in a recent survey conducted by GitLab, a DevOps service provider. The survey found the majority of developers — 71% — consider security to either be their responsibility or a shared responsibility with another group. 

Yet developers and security teams still need to improve how they work together, Security Journey's Romeo said. Security teams frequently mandate rather than advise, and a lack of a detailed security process tends to convince many developers that security decisions are arbitrary and always hindering their job, he told attendees.

Instead, companies need to celebrate the successes as much as spotlight security problems, he said.

"By celebrating security wins, we can make security good for our developers and not consistently negative," he said. "It is not that difficult of a thing to do, but often developers only hear about how the sky is always falling."

Among the advice that Romeo has for security teams and companies intent on improving their application security programs: Tune the tools to reduce false positives, work together to determine the right amount of resources to dedicate to security needs, educate developers about security, and also educate security professionals about development.

"We always start with the what or the how ... we don't step back and say, 'Here's why you need to do that,'" he said. "Help the project-adjacent folks to understand why security is important for your customers. Not you as a security team, not for your executives, not for some other group inside your companies, but for your customers."

Part of that is creating metrics for security return on investment. One important metric, for example, is to track the rework required to fix bugs that have a security component to them, Romeo says. 

Another major recommendation: Make sure both security professionals and developers know that they need to partner for the business to succeed, not declare one as the gatekeeper. Guardrails are fine, but developers need room to maneuver, he said.

"We have guard rails to protect us from going off the side of the mountain," Romeo said. "They don't work if they are only two inches from your car and give you no room to maneuver. Security guardrails need to give you some freedom around the development process."

While Romeo sees the disconnect between security workers and developers as a continuing problem, the GitLab survey released earlier this month spotlighted some hopeful trends. While security and application testing continues to be a headache for developers — with 40% of developers concerned that it takes place too late in the development pipeline — 72% of developers considered their organizations' security to be either good or strong, 13 points higher than the previous year. 

About 43% of the survey's respondents deploy software at least once a week, the survey found.

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Edge-DRsplash-10-edge-articles
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
News
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
Commentary
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Practical Network Security Approaches for a Multicloud, Hybrid IT World
The report covers areas enterprises should focus on for their multicloud/hybrid cloud security strategy: -increase visibility over the environment -learning cloud-specific skills -relying on established security frameworks -re-architecting the network
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2022-30333
PUBLISHED: 2022-05-09
RARLAB UnRAR before 6.12 on Linux and UNIX allows directory traversal to write to files during an extract (aka unpack) operation, as demonstrated by creating a ~/.ssh/authorized_keys file. NOTE: WinRAR and Android RAR are unaffected.
CVE-2022-23066
PUBLISHED: 2022-05-09
In Solana rBPF versions 0.2.26 and 0.2.27 are affected by Incorrect Calculation which is caused by improper implementation of sdiv instruction. This can lead to the wrong execution path, resulting in huge loss in specific cases. For example, the result of a sdiv instruction may decide whether to tra...
CVE-2022-28463
PUBLISHED: 2022-05-08
ImageMagick 7.1.0-27 is vulnerable to Buffer Overflow.
CVE-2022-28470
PUBLISHED: 2022-05-08
marcador package in PyPI 0.1 through 0.13 included a code-execution backdoor.
CVE-2022-1620
PUBLISHED: 2022-05-08
NULL Pointer Dereference in function vim_regexec_string at regexp.c:2729 in GitHub repository vim/vim prior to 8.2.4901. NULL Pointer Dereference in function vim_regexec_string at regexp.c:2729 allows attackers to cause a denial of service (application crash) via a crafted input.