As application security teams seek to improve their practices to account for the swift software release cadence set by DevOps and agile development processes, collaboration has been the name of the game. Security leaders and practitioners have been asked to better integrate with developers and operations pros to streamline the way security is enmeshed with software delivery practices.
Fostering close relationships with dev and ops will ideally help security teams provide tools that makes sense within the DevOps working environment, that automate security testing tasks, and that seamlessly validate and secure fast-changing cloud infrastructure that supports development and production environments. Additionally, the collaboration sets up a communication channel for security to educate DevOps teams on how to transform the way they manage risk throughout the software life cycle.
But to achieve all these goals, there's often one huge relationship hole that security organizations neglect in their DevSecOps collaborative efforts — and that's with the business, both at the executive level and among application owners.
"When we build out our process and procedures, we have to integrate ourselves as a security group into the business as well," says Brad Causey, CEO of Zero Day Consulting, an application security consulting firm, and a speaker for the Cybersecurity Crash Course to be held by Dark Reading during Interop Digital early next month. "So we have to be understanding, involved, and integrated from the very first time they sit down and start talking about [application] requirements. ... The security team has to be involved in that."
This kind of design thinking mentality for ensuring DevSecOps success is a big theme in the "Capgemini Global DevSecOps Insights Report 2020," which the consulting firm released a few weeks ago. Capgemini experts explained that high-performing teams are 50% more likely to embed security in the design and build stages of software development than bottom-quartile teams.
But a big obstacle getting in the way of achieving this is a security-to-business collaboration gap that has hamstrung nascent DevSecOps programs from progressing past the bottom rung of maturity. Here's why, according to Causey.
"You really have to have some buy-in and at least some level of understanding and education at the business side because they own these apps. If I'm in a big bank, for example, the mortgage department owns the online mortgage application," he explains. "So they're responsible not only for producing the application, but understanding and directing risk management work associated with it."
These application owners drive DevOps team priorities, so if security isn't getting a bug in their ears, it doesn't matter how good of a relationship security has with developers — the devs are going to march to the beat set by these business stakeholders.
"I've seen this a million times over my career where we would do a pen test on a web app, go back to the developer and say, "OK, here are the vulnerabilities that we found," and they're going to say, "Well, that's cool, but I'm working 80 hours this week on this new release that has to go out with this new functionality. So what do you want me to focus on?'" says Causey. "Well, that's not my decision, right? That's up to the business unit and the sponsor of the application."
This is likely one of the big reasons why even on DevSecOps teams, some 69% of security pros say it is still difficult to get developers to actually prioritize fixing bugs, according to the recent "Mapping the DevSecOps Landscape" survey report from GitLab.
In his upcoming session during Interop Digital, "Making Applications Secure in a DevOps World," Causey is going to get into the dynamics of the disconnect between security and business stakeholders and offer advice on how to get past it. First among them is the CISO needs to be chief salesperson and listener to get business stakeholders tapped into the AppSec program and tie AppSec goals to business priorities.
"They are in a unique position because they have a seat at the [C-suite] table," Causey says. "[As a pen tester], I don't have that seat and neither does the security manager or the appsec guy or whatever practitioner it is. So CISOs have to leverage the fact that they have a strong audience of influential folks within the organization to sell the program."
When it is time to hand over management of the program to security practitioners, the whole team also needs to back up that early sales work with metrics and support that add value and proves it to the business stakeholders. This means showing a reduction not only in vulnerabilities, but also in the time and resources it takes for everyone to address them.
Then as the relationships grow, the CISO still needs to serve as ambassador to manage politics and translate cybersecurity insight to business language. This is crucial when friction inevitably arises as everyone tries to strike the balance between managing risk and delivering features, Causey explains.
"Those folks speak a different language, and we want the CISO in our back pocket as an ambassador when we run into problems like that," he explains.