Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats //

Vulnerability Management

6/25/2020
10:00 AM
Dan Cornell
Dan Cornell
Commentary
50%
50%

Better Collaboration Between Security & Development

Security and development teams must make it clear why their segment of the development life cycle is relevant to the other teams in the pipeline.

For more than 10 years, I've been preaching the idea that collaboration between security and development teams is critical. This is especially true for teams that have different stakeholders and work across time zones and geographic regions. Despite my efforts in evangelizing the message, I continue to see examples of poor communication that hurt teams' constant pursuit of organizational security.

Over the last decade, I've continued to see a large number of security teams use PDF documents as their standard mode of communication to highlight vulnerabilities for remediation by development teams, but this archaic practice lacks the context that is necessary for the development team's buy-in and understanding. This results in vulnerabilities being improperly fixed or completely ignored by development teams as they field a growing list of tasks and promises to customers. That doesn't mean that developers don't care about security; rather, communication is the problem.

Bringing teams together to collaborate isn't enough if they don't understand how to effectively communicate. Each team must make an effort to communicate why their segment of the development life cycle is relevant to the other teams in the pipeline. So, what can the security team members do if they want development to work with them in fixing vulnerabilities? A good start would be providing developers with context regarding the vulnerabilities that are being identified, in addition to communicating what tools they've been using to identify these vulnerabilities, avoiding the exported PDF at all costs.

In my past experience, I've seen it proven time and time again that collaboration has a direct impact on organizational success, and there is data that supports these observations. In fact, effective collaboration has the ability to reduce the mean time to fix (MTTF) vulnerabilities by up to 44%, in Denim Group's experience, proving that this need has not changed over the last decade. While some security professionals believe that the responsibility of fixing vulnerabilities is completely up to the development team, they must remember that security isn't their only task. By reducing the development team's workload through more effective communication of vulnerabilities, security teams can help foster stronger working partnerships, all while speeding up vulnerability remediation.

This proposition then raises the question: How can disparate teams cultivate stronger collaboration? First, security teams must develop a clean set of vulnerabilities to provide to developers. Doing things such as culling false positives, reprioritizing vulnerabilities, and capturing sufficient context are all steps that must be taken into account when creating a streamlined and easy-to-understand list. Once the security team drafts a clean list of vulnerabilities, they then need to determine which ones the development team must address. As I noted earlier, developers are often inundated with tasks such as writing new features and functions, or fixing non-security-related bugs, and in order to increase collaboration, they should not be forced to fix things that don't actually need to be fixed. This places more responsibility on the security teams by making them prioritize the vulnerabilities they want to deliver and ensure that the development teams can fix them.

Next, after determining what vulnerabilities are worth the developers' time, security teams should bundle vulnerabilities into software defects, being sure to avoid creating a new software defect for every vulnerability they identify, as this can easily begin to overwhelm the development teams they work with. This holds especially true because a majority of technical vulnerabilities are easily fixed with a small code change, and by sending too many defects, security teams are actually slowing down what should be a relatively easy process. By bundling like vulnerabilities together, security teams are minimizing the steps that developers need to take, minimizing their workload which can assist in bringing these teams closer.

Increased collaboration between security and development teams is critical — and necessary if a business wants to be successful. By streamlining communication, teams can address vulnerabilities faster, and more efficiently. Maintaining collaboration is an ongoing effort for organizations that must be prioritized, and while there are tools that can assist, it is not solely a technological issue. Teams working with — not in competition of — one another must be a goal of the security industry in order to maintain success. This need has grown increasingly important, as threat actors are constantly finding new ways to infiltrate security systems, so strong team collaboration is your first and best defense.

Related Content:

 
 
 
 
Learn from industry experts in a setting that is conducive to interaction and conversation about how to prepare for that "really bad day" in cybersecurity. Click for more information and to register for this On-Demand event. 

A globally recognized application security expert, Dan Cornell holds over 20 years of experience architecting, developing and securing web-based software systems. As Chief Technology Officer and Principal at Denim Group, Ltd., he leads the technology team to help Fortune 500 ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/17/2020
Cybersecurity Bounces Back, but Talent Still Absent
Simone Petrella, Chief Executive Officer, CyberVista,  9/16/2020
Meet the Computer Scientist Who Helped Push for Paper Ballots
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/16/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-5421
PUBLISHED: 2020-09-19
In Spring Framework versions 5.2.0 - 5.2.8, 5.1.0 - 5.1.17, 5.0.0 - 5.0.18, 4.3.0 - 4.3.28, and older unsupported versions, the protections against RFD attacks from CVE-2015-5211 may be bypassed depending on the browser used through the use of a jsessionid path parameter.
CVE-2020-8225
PUBLISHED: 2020-09-18
A cleartext storage of sensitive information in Nextcloud Desktop Client 2.6.4 gave away information about used proxies and their authentication credentials.
CVE-2020-8237
PUBLISHED: 2020-09-18
Prototype pollution in json-bigint npm package < 1.0.0 may lead to a denial-of-service (DoS) attack.
CVE-2020-8245
PUBLISHED: 2020-09-18
Improper Input Validation on Citrix ADC and Citrix Gateway 13.0 before 13.0-64.35, Citrix ADC and NetScaler Gateway 12.1 before 12.1-58.15, Citrix ADC 12.1-FIPS before 12.1-55.187, Citrix ADC and NetScaler Gateway 12.0, Citrix ADC and NetScaler Gateway 11.1 before 11.1-65.12, Citrix SD-WAN WANOP 11....
CVE-2020-8246
PUBLISHED: 2020-09-18
Citrix ADC and Citrix Gateway 13.0 before 13.0-64.35, Citrix ADC and NetScaler Gateway 12.1 before 12.1-58.15, Citrix ADC 12.1-FIPS before 12.1-55.187, Citrix ADC and NetScaler Gateway 12.0, Citrix ADC and NetScaler Gateway 11.1 before 11.1-65.12, Citrix SD-WAN WANOP 11.2 before 11.2.1a, Citrix SD-W...