In many organizations, IT security and development teams have very different mandates. For example, according to the SANS Institute's 2015 State of Application Security: Closing the Gap, while software builders focus on lowering their time to market and feature lists, application defenders worry about fully identifying all apps in their corporate portfolios to effectively address security issues.
Common wisdom says these two departments operate at 90 degrees; where one goes, the other has no interest. But alignment is slowly starting to percolate up through employees to the C-suite and emerge as a priority. Where are companies seeing success, and where do they still struggle?
As noted byeWeek, both software developers and security experts are now in high demand. This should come as no surprise, since companies now face the legacy of a mature cloud market, where applications developed too slowly are at risk of being underutilized or ignored all together, but the larger attack surface presented by cloud-enabled network end points means that any application — no matter its intended purpose — poses a potential risk to corporate IT security.
It's no wonder, then, that security and development professionals are often at loggerheads. Builders know that even a week's delay could cost the company millions, while defenders worry that releasing a product before thorough testing is completed risks the discovery of a major vulnerability, forcing the company to spend even more on remediation and compliance challenges and offsetting any potential gains. And Tech World reports that developers don't make it easy on IT security, often downloading open-source components that contain known vulnerabilities or haven't been updated in months or years.
According to the SANS Institute report, while builders and defenders are making an effort to align their priorities, they diverge when it comes to the most troublesome issues on their plates. Software developers lament the lack of AppSec skills and tools available in the organization, while security professionals are concerned that attempts to fix in-house software will break the code and render it useless. And while builders call out management for too little funding and support, defenders have serious concerns about the data and process silos that naturally emerge between development, security and the C-suite.
But it's not all bad news. Both security and development teams now agree on their top three challenges: web, mobile and cloud technologies. What's more, they understand that public-facing web apps pose the biggest risk to security and revenue, since failure or compromise there can result in very public and very costly remediation efforts. As a result, more and more companies are adopting a DevOps model, which sees members from both builder and defender teams collaborating on projects to produce an end result that satisfies the need for both speed and safety.
Development and security teams are no longer at right angles — but they're not running parallel just yet. Work is underway, however, to bridge the gap and, degree by degree, bring these critical components into alignment.
Want to learn more? Download the SANS Institute's white paper.
Photo Source: Flickr