Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Cloud

9/25/2020
01:55 PM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

Getting Over the Security-to-Business Communication Gap in DevSecOps

Application security in a DevOps world takes more than great teamwork among security, developers, and operations staff.

As application security teams seek to improve their practices to account for the swift software release cadence set by DevOps and agile development processes, collaboration has been the name of the game. Security leaders and practitioners have been asked to better integrate with developers and operations pros to streamline the way security is enmeshed with software delivery practices.  

Fostering close relationships with dev and ops will ideally help security teams provide tools that makes sense within the DevOps working environment, that automate security testing tasks, and that seamlessly validate and secure fast-changing cloud infrastructure that supports development and production environments. Additionally, the collaboration sets up a communication channel for security to educate DevOps teams on how to transform the way they manage risk throughout the software life cycle. 

But to achieve all these goals, there's often one huge relationship hole that security organizations neglect in their DevSecOps collaborative efforts — and that's with the business, both at the executive level and among application owners. 

Related Content:

12 Bare-Minimum Benchmarks for AppSec Initiatives

State of Endpoint Security: How Enterprises Are Managing Endpoint Security Threats

New on The Edge: RASP 101: Staying Safe With Runtime Application Self-Protection

"When we build out our process and procedures, we have to integrate ourselves as a security group into the business as well," says Brad Causey, CEO of Zero Day Consulting, an application security consulting firm, and a speaker for the Cybersecurity Crash Course to be held by Dark Reading during Interop Digital early next month. "So we have to be understanding, involved, and integrated from the very first time they sit down and start talking about [application] requirements. ... The security team has to be involved in that."

This kind of design thinking mentality for ensuring DevSecOps success is a big theme in the "Capgemini Global DevSecOps Insights Report 2020," which the consulting firm released a few weeks ago. Capgemini experts explained that high-performing teams are 50% more likely to embed security in the design and build stages of software development than bottom-quartile teams. 

But a big obstacle getting in the way of achieving this is a security-to-business collaboration gap that has hamstrung nascent DevSecOps programs from progressing past the bottom rung of maturity. Here's why, according to Causey. 

"You really have to have some buy-in and at least some level of understanding and education at the business side because they own these apps. If I'm in a big bank, for example, the mortgage department owns the online mortgage application," he explains. "So they're responsible not only for producing the application, but understanding and directing risk management work associated with it."

These application owners drive DevOps team priorities, so if security isn't getting a bug in their ears, it doesn't matter how good of a relationship security has with developers — the devs are going to march to the beat set by these business stakeholders.

"I've seen this a million times over my career where we would do a pen test on a web app, go back to the developer and say, "OK, here are the vulnerabilities that we found," and they're going to say, "Well, that's cool, but I'm working 80 hours this week on this new release that has to go out with this new functionality. So what do you want me to focus on?'" says Causey. "Well, that's not my decision, right? That's up to the business unit and the sponsor of the application."

This is likely one of the big reasons why even on DevSecOps teams, some 69% of security pros say it is still difficult to get developers to actually prioritize fixing bugs, according to the recent "Mapping the DevSecOps Landscape" survey report from GitLab.

In his upcoming session during Interop Digital, "Making Applications Secure in a DevOps World," Causey is going to get into the dynamics of the disconnect between security and business stakeholders and offer advice on how to get past it. First among them is the CISO needs to be chief salesperson and listener to get business stakeholders tapped into the AppSec program and tie AppSec goals to business priorities.

"They are in a unique position because they have a seat at the [C-suite] table," Causey says. "[As a pen tester], I don't have that seat and neither does the security manager or the appsec guy or whatever practitioner it is. So CISOs have to leverage the fact that they have a strong audience of influential folks within the organization to sell the program."

When it is time to hand over management of the program to security practitioners, the whole team also needs to back up that early sales work with metrics and support that add value and proves it to the business stakeholders. This means showing a reduction not only in vulnerabilities, but also in the time and resources it takes for everyone to address them.   

Then as the relationships grow, the CISO still needs to serve as ambassador to manage politics and translate cybersecurity insight to business language. This is crucial when friction inevitably arises as everyone tries to strike the balance between managing risk and delivering features, Causey explains.

"Those folks speak a different language, and we want the CISO in our back pocket as an ambassador when we run into problems like that," he explains.

 

Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 10/23/2020
7 Tips for Choosing Security Metrics That Matter
Ericka Chickowski, Contributing Writer,  10/19/2020
Russian Military Officers Unmasked, Indicted for High-Profile Cyberattack Campaigns
Kelly Jackson Higgins, Executive Editor at Dark Reading,  10/19/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-24847
PUBLISHED: 2020-10-23
A Cross-Site Request Forgery (CSRF) vulnerability is identified in FruityWifi through 2.4. Due to a lack of CSRF protection in page_config_adv.php, an unauthenticated attacker can lure the victim to visit his website by social engineering or another attack vector. Due to this issue, an unauthenticat...
CVE-2020-24848
PUBLISHED: 2020-10-23
FruityWifi through 2.4 has an unsafe Sudo configuration [(ALL : ALL) NOPASSWD: ALL]. This allows an attacker to perform a system-level (root) local privilege escalation, allowing an attacker to gain complete persistent access to the local system.
CVE-2020-5990
PUBLISHED: 2020-10-23
NVIDIA GeForce Experience, all versions prior to 3.20.5.70, contains a vulnerability in the ShadowPlay component which may lead to local privilege escalation, code execution, denial of service or information disclosure.
CVE-2020-25483
PUBLISHED: 2020-10-23
An arbitrary command execution vulnerability exists in the fopen() function of file writes of UCMS v1.4.8, where an attacker can gain access to the server.
CVE-2020-5977
PUBLISHED: 2020-10-23
NVIDIA GeForce Experience, all versions prior to 3.20.5.70, contains a vulnerability in NVIDIA Web Helper NodeJS Web Server in which an uncontrolled search path is used to load a node module, which may lead to code execution, denial of service, escalation of privileges, and information disclosure.