We talk a lot about the need for development teams to create security champions. With the shift to DevOps – and the intersecting of development, security, and operations teams – development and security teams can no longer operate in their traditional silos. Each team needs to not only work closely together, but also have a much deeper understanding of each others’ pains, processes, and priorities. For most developers, this is uncharted territory. Security has simply not been part of their jobs or training. In fact, the vast majority have not had training on secure coding, either in college or on the job. We solve this problem in part here at CA Veracode by creating security champions on our development teams, and we recommend and coach our customers to do the same. Security champions help to reduce culture conflict between development and security by amplifying the security message on a peer-to-peer level. They don’t need to be experts, more like the “security consciousness” of the group.
But what about a development champion on the security team? Just as developers are in uncharted territory with security, the security team often has limited understanding of how the development team works. What if the security team had a development champion who was tasked with getting to know and understand the development team and their processes and bringing that knowledge and understanding back to the team? The reality is that in a DevOps world, the security team does need a much more thorough understanding of the development process than they did in the past; they simply won’t be able to do their jobs effectively and integrate security into the development process without a deep understanding of how this team works.
The development champion would spend time with the development team, getting a clear picture of their day-to-day tasks, their priorities, their pain points. Additionally, this person would spend some time learning how to code and becoming familiar with the tools developers use, and bring that understanding back to his or her team. Finally, as security shifts left, the security team will need at least a high-level understanding of developer tools like IDEs, build systems, and configuration management tools, in order to embed security tools and processes into developer workflows. What does a development champion look like?
Check out the Anatomy of a Development Champion:
Want to be the development champion on your team?
Start with our toolkit – Understanding the Dev in DevSecOps: A Toolkit for the Security Team.