In a recent Summer Security Fundamentals webcast, our panel of cybersecurity experts discussed application security and the pressing questions many of you likely face in your organization: How do you bring the builders and defenders together for a seamless DevSecOps culture? How do you empower development and operations to really care about security? At what point do you need to hire an outside team to build your appsec program?
In this blog, we will share some insightful tips on all things application security:
Banish the security police
Sometimes it feels like DevOps and security professionals are on opposing teams. Developers live and breathe software development but might not be up-to-date on the best security practices. Security experts see problems and are eager to fix them, but their solutions don’t always match the daily reality of development and operations--especially in today’s world where the pressure to release high quality software is growing faster everyday. Security feels that development often doesn’t prioritize protecting the application, and developers and operations teams resent security teams coming in like an authority figure and insisting on changes. Our panelists agree that for an application security testing program to be effective, the typical relationship between security and DevOps teams has to change.
As security professionals, sit down with development and operations practitioners and even non-engineer stakeholders. Try to really understand their perspectives and what their day-to-day concerns are. This will help you provide the most practical solutions.
In return, helping developers and operations professionals understand security risks and giving them the tools to easily resolve issues will enable them to be a part of your security efforts. Everyone in your organization wants to put out a secure product—you just have to empower them to do so.
Building an appsec program
The panelists discussed both when and how to bring security into the software development life cycle (SDLC). Security measures are too often the last step in the process, but according to our experts, they should really be there from the beginning. Make security a continuous part of the SDLC rather than something that gets implemented from above every six months or every year.
According to our panelists, it’s best to grow your appsec program organically in the beginning. Start with leadership expressing to development the importance of working on security practices. That means gaining a better understanding of risks and clarity into current processes.
Once you start to have these discussions, the existing development and operations teams will start to take an interest in application security, and internal leaders will emerge. These are the people who already make and run your applications, so let them get as far as they can, then bring in outside security leaders to help.
Because your developers are already working on security initiatives, they will naturally form positive relationships with the new team members brought in to help with their problems. If development hasn’t been involved with security from the start, they’re more likely to feel that the new security experts are there to impose a new burden on development.
It’s always tempting to focus on shiny new tools and changed processes when creating your application security program. But our panelists shared that they find a strong DevSecOps culture to be the most important factor. Without the cultural shift, it will be hard to make the tools and processes stick.
Finally, the panelists recommend that you think about your feedback cycle. Monitoring for risks is easy enough, but what do you do with the results? How will you remediate issues quickly? Try different procedures for reporting and resolving, like Jira or email, and see which model works for your organization.
Top tips from the experts
Each expert panelist gave us his best advice for building a DevSecOps-oriented appsec program. Senior Director of Products Michael Feirtag says that when you’re thinking about doing DevSecOps—which he defines as making security work in the DevOps manner—his best advice would be to make all of your decisions data-oriented. Avoid basing your decisions on your opinions alone, and instead monitor your environment and work from the information you collect.
Justin Pagano, Senior Manager of Information Security, suggests security professionals try to find opportunities to be hands-on with development and operations. The development and operations teams need to feel like you’re working with them, not just telling them what to do.
And for Ulrich Dangel, Senior Manager of Software Engineering, the key is to focus on processes, culture, and bridging the communication gap rather than any specific solution. Remember, with DevSecOps, you’re all on the same team.