The development team can be the biggest barrier to the success of your application security (AppSec) program. If this team does not follow the protocol outlined in your program plan, you will be unable to demonstrate the value of your program, and it could stall before getting started.
Security and development often seem to have competing priorities – delivering code on time vs. ensuring every line of code is secure. Development and DevOps teams are often resistant when they hear their organization will enact an application security assessment program because they are concerned that their development efforts will be slowed down. In addition, security professionals have hit roadblocks by focusing on dictating security rules to developers, rather than working to create partnerships and common goals with them.
To make your application security program a success, you need to understand both developers’ concerns regarding security and the best ways to approach them about the subject. To help with these endeavors, we’ve put together six best practices for working with development teams and making them your ally rather than a roadblock to success.
1. Get dev involved early: Consult the development and DevOps teams early during your application security plan’s conception and throughout its evolution. This way, the security team can ensure the assessment protocols do not disrupt the development lifecycle, and instead, enhance the development processes by making it easier for developers to find and remediate vulnerabilities. In addition, getting development buy-in before the strategy launches lessens the chance of development teams ignoring security protocols and guidelines. They will be more receptive to the program if they are able to influence the protocols and become a vested partner in the project, rather than simply the recipient of a long list of rules.
2. Understand the development process: You need to clearly understand development processes to best work with developers and integrate security into their workflow. Sit with leaders on the development team and map out your company’s development frameworks.
3. Be a part of the development process: When developers are new to security, you may need to jump in and help define security tasks and processes. This might involve writing security “stories,” and helping develop task cards to describe the security work to be done.
4. Provide security training for developers: Training can’t be beat when it comes to bringing developers up to speed on security. In fact, our research found that organizations using remediation coaching services (“readout calls”) improve code security by a factor of 2.5x compared to those that choose to do it on their own (State of Software Security, Volume 6). Consider a combination of in-house explanations or demonstrations, third-party experts to help with application threat modeling, eLearning or various commercial courses.
5. Find a security champion on the development team: Find a developer interested in security who can act as your “champion” within the team. This internal champion will guide your plan as he or she can provide insight into how the strategy is received as well as practical improvements that could be made.
6. Help prioritize vulnerabilities: Traditionally, security had a reputation for flooding developers with vast amounts of “urgent” and “fix now!” vulnerabilities. Avoid the “boy who cried wolf” syndrome by helping development understand which vulnerabilities are priorities and with strategies for addressing the most critical.
Ultimately, these tips come down to understanding development processes and then integrating security as seamlessly into them as possible, without sacrificing security objectives.
For more information on working with the different teams in your organization to make your AppSec program a success, see our guide Cracking the Code on Application Security Buy-In.