Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


01:55 PM
Connect Directly

Getting Over the Security-to-Business Communication Gap in DevSecOps

Application security in a DevOps world takes more than great teamwork among security, developers, and operations staff.

As application security teams seek to improve their practices to account for the swift software release cadence set by DevOps and agile development processes, collaboration has been the name of the game. Security leaders and practitioners have been asked to better integrate with developers and operations pros to streamline the way security is enmeshed with software delivery practices.  

Fostering close relationships with dev and ops will ideally help security teams provide tools that makes sense within the DevOps working environment, that automate security testing tasks, and that seamlessly validate and secure fast-changing cloud infrastructure that supports development and production environments. Additionally, the collaboration sets up a communication channel for security to educate DevOps teams on how to transform the way they manage risk throughout the software life cycle. 

But to achieve all these goals, there's often one huge relationship hole that security organizations neglect in their DevSecOps collaborative efforts — and that's with the business, both at the executive level and among application owners. 

Related Content:

12 Bare-Minimum Benchmarks for AppSec Initiatives

State of Endpoint Security: How Enterprises Are Managing Endpoint Security Threats

New on The Edge: RASP 101: Staying Safe With Runtime Application Self-Protection

"When we build out our process and procedures, we have to integrate ourselves as a security group into the business as well," says Brad Causey, CEO of Zero Day Consulting, an application security consulting firm, and a speaker for the Cybersecurity Crash Course to be held by Dark Reading during Interop Digital early next month. "So we have to be understanding, involved, and integrated from the very first time they sit down and start talking about [application] requirements. ... The security team has to be involved in that."

This kind of design thinking mentality for ensuring DevSecOps success is a big theme in the "Capgemini Global DevSecOps Insights Report 2020," which the consulting firm released a few weeks ago. Capgemini experts explained that high-performing teams are 50% more likely to embed security in the design and build stages of software development than bottom-quartile teams. 

But a big obstacle getting in the way of achieving this is a security-to-business collaboration gap that has hamstrung nascent DevSecOps programs from progressing past the bottom rung of maturity. Here's why, according to Causey. 

"You really have to have some buy-in and at least some level of understanding and education at the business side because they own these apps. If I'm in a big bank, for example, the mortgage department owns the online mortgage application," he explains. "So they're responsible not only for producing the application, but understanding and directing risk management work associated with it."

These application owners drive DevOps team priorities, so if security isn't getting a bug in their ears, it doesn't matter how good of a relationship security has with developers — the devs are going to march to the beat set by these business stakeholders.

"I've seen this a million times over my career where we would do a pen test on a web app, go back to the developer and say, "OK, here are the vulnerabilities that we found," and they're going to say, "Well, that's cool, but I'm working 80 hours this week on this new release that has to go out with this new functionality. So what do you want me to focus on?'" says Causey. "Well, that's not my decision, right? That's up to the business unit and the sponsor of the application."

This is likely one of the big reasons why even on DevSecOps teams, some 69% of security pros say it is still difficult to get developers to actually prioritize fixing bugs, according to the recent "Mapping the DevSecOps Landscape" survey report from GitLab.

In his upcoming session during Interop Digital, "Making Applications Secure in a DevOps World," Causey is going to get into the dynamics of the disconnect between security and business stakeholders and offer advice on how to get past it. First among them is the CISO needs to be chief salesperson and listener to get business stakeholders tapped into the AppSec program and tie AppSec goals to business priorities.

"They are in a unique position because they have a seat at the [C-suite] table," Causey says. "[As a pen tester], I don't have that seat and neither does the security manager or the appsec guy or whatever practitioner it is. So CISOs have to leverage the fact that they have a strong audience of influential folks within the organization to sell the program."

When it is time to hand over management of the program to security practitioners, the whole team also needs to back up that early sales work with metrics and support that add value and proves it to the business stakeholders. This means showing a reduction not only in vulnerabilities, but also in the time and resources it takes for everyone to address them.   

Then as the relationships grow, the CISO still needs to serve as ambassador to manage politics and translate cybersecurity insight to business language. This is crucial when friction inevitably arises as everyone tries to strike the balance between managing risk and delivering features, Causey explains.

"Those folks speak a different language, and we want the CISO in our back pocket as an ambassador when we run into problems like that," he explains.


Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Inside the Ransomware Campaigns Targeting Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/2/2021
Beyond MITRE ATT&CK: The Case for a New Cyber Kill Chain
Rik Turner, Principal Analyst, Infrastructure Solutions, Omdia,  3/30/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-04-15
An authentication flaw was found in ceph in versions before 14.2.20. When the monitor handles CEPHX_GET_AUTH_SESSION_KEY requests, it doesn't sanitize other_keys, allowing key reuse. An attacker who can request a global_id can exploit the ability of any user to request a global_id previously associa...
PUBLISHED: 2021-04-15
An issue was discovered in libezxml.a in ezXML 0.8.6. The function ezxml_internal_dtd() performs incorrect memory handling while parsing crafted XML files, which leads to an out-of-bounds write of a one byte constant.
PUBLISHED: 2021-04-15
Adobe Photoshop versions 21.2.6 (and earlier) and 22.3 (and earlier) are affected by a Buffer Overflow vulnerability when parsing a specially crafted JSX file. An unauthenticated attacker could leverage this vulnerability to achieve arbitrary code execution in the context of the current user. Exploi...
PUBLISHED: 2021-04-15
Adobe Photoshop versions 21.2.6 (and earlier) and 22.3 (and earlier) are affected by a Buffer Overflow vulnerability when parsing a specially crafted JSX file. An unauthenticated attacker could leverage this vulnerability to achieve arbitrary code execution in the context of the current user. Exploi...
PUBLISHED: 2021-04-15
Textpattern V4.8.4 contains an arbitrary file upload vulnerability where a plug-in can be loaded in the background without any security verification, which may lead to obtaining system permissions.