Whiteboard Wednesday:

Bridging the Gap Between Security and Development

May 02, 2018

In this week’s Whiteboard Wednesday, Alfred Chung, Sr. Solutions Manager for Application Security at Rapid7, addresses the three critical components of bridging the communication and alignment gap often present between security and development teams: common goals, streamlined workflows, and integrated tools. By mastering these key areas, your organization can move both faster and safer.

Curious about how you can bridge the gap starting today? Start your free 30-day InsightAppSec trial now, or learn more about the benefits of shifting the responsibility of security left in the SDLC.

Video Transcript

Hi, welcome to this week's Whiteboard Wednesday. My name is Alfred Chung, Senior Solutions Marketing Manager at Rapid7. I'm here today to talk about bridging the gap between security and app developers. Effective application security requires more than just identifying application vulnerabilities. It also means fixing them. And in application security, security teams are typically the ones that are scanning the apps to find the vulnerabilities. But it's the development teams that actually have to fix them. So in order to have an effective application security program, there needs to be careful coordination between the security team and the development team. These two organizations traditionally have been fairly siloed, with very different processes, very different language and terminology, and often times, very different goals.

Show more Show less

In order to bridge the gap between application developers, and your security team, there are these three pillars: common goals, streamlined workflows, and integrated tools. The first pillar is common goals. Common goals effectively just means security and development need to get on the same page, as far as what's the priority of security issues? That means understanding security as a critical component of quality. Security teams can help development teams in achieving this understanding by introducing them to security trainings. For example, secure coding practice trainings, or even just scheduling Lunch and Learns internally to train or educate the development team on recent breaches, common application vulnerability types, and why application vulnerability, or rather why application security is so important today.

The second pillar in this bridge is streamlined workflows. That means not just having certain processes in place that are understood by both parties, when it comes time to remediate vulnerabilities, but also developing, or having a shared set of common language and terminology to use. In security, it's a vulnerability. But in development, it's a bug. Going to your developers with a list of vulnerabilities might not get the same attention as if you were to go them with a list of bugs. So, having that common set of language is important. Also, understanding Agile Development is also a key. How do the tasks get prioritized, and assigned to the individual developers? Who are the stakeholders involved in making sure that developers are working on the right things? Because ultimately, security teams are introducing new work when they deliver a new report of vulnerabilities to development. Understanding how you can work with the various stakeholders involved to get those issues worked on, and resolved, is going to be critical in making sure that the security issues do get addressed.

And finally, integrated tools. The integrated tools is what actually puts these concepts into practice, and makes it real in a day to day basis. There are security tools that enable integration with the ticketing systems, that developers work from. Like Jira for example. Security tools that can directly import vulnerabilities into Jira, such that the developers are seeing and working on security issues right alongside the functional bugs and features of the application that they're building. There are also continuous integration solutions, like Jenkins, that security tools can integrate with. Continuous integration solutions will effectively run a set of automated tests to check the functionality of the application. By integrating with continuous integration, those automated test runs can also include tests of security for the application, so that security issues get identified sooner, and worked on by the development team earlier. So that's it for this week's Whiteboard Wednesday. We'll talk to you next week.

Try Now

InsightAppSec is our dynamic application security testing (DAST) tool built for the modern web.

Start Free Trial


A Step-by-Step Guide to Shifting Left and Embracing a True DevSecOps Mentality

Read More