Our Roundtable Sessions are invite-only events hosted by peers for peers that bring together a select group of senior IT leaders from across industries for topic-driven, intimate dialog on current trends and topics. The group met remotely to discuss driving partnerships between security and development, led by the CTO of a full-service, tech-enabled professional services firm. This Session was sponsored by Veracode.
There have been more cyberattacks in the last two years than ever before. Organizations across industries have realized that security can no longer be an afterthought. It needs to be seen as an intrinsic part of software, and hence must be shifted left and considered as early in the SDLC as possible. To that end, it’s pivotal to bridge the gap between security and development teams and establish a silo-free partnership.
During the discussion, different attendees talked about key motivators for driving partnerships between security and development. One head of Information Security said that these partnerships allow them to put security guardrails around development without hampering their productivity. A CTO added that active collaboration between development and security is critical to building the security mindset and developing “inherently safe” software. Other common motivators were:
A speaker shared that there are two main aspects of security. The first one is risk management, which includes the things you do ahead of time. These include measures such as penetration testing, secure coding practices, static and dynamic code analysis, code reviews, log management, etc. The second one deals with reactive tasks, such as incident management, disaster recovery, fixing zero-day vulnerabilities, etc. To fulfill both these aspects of security, it is vital to have a strong partnership between development and security.
It is important to regularly scan open-source libraries and packages for vulnerabilities, bugs, or security hotspots. Developers should know how to execute static and dynamic scans on third-party code and resolve any discovered vulnerabilities/errors. They should be able to understand the reports generated by penetration testing software. It’s also important to have a tool that checks open-source software for licensing and compliance before allowing developers to introduce them in their source code.
Multiple participants talked about the importance of having a security-oriented culture in an organization. Some employees tend not to pay attention to security because it is not a part of their official job title. It can be easy for them to assume that since they are not contractually bound to incorporate security, they can just release insecure software. This mindset can be changed by including security as a job requirement for developers. We need to start seeing security as a hygiene factor in an organization. Just like a cook in a restaurant needs to abide by certain hygiene standards to keep their job, a developer should also be required to follow secure coding practices while building software.
Getting the buy-in from CXOs and board members is critical in cultivating a culture of security. As you explain various security risks and problems to them, remember that you are talking to a group of mainly non-technical people. Instead of showing them how SQL injections work, talk about the possible financial/reputation loss that the company may incur in the event of a breach. Speak to them in their language, including data, risk profiles, and financials.