The days of security and development working in separate and isolated silos are over. Security is now a task shared by the development and security teams throughout the software lifecycle – from inception to production. Security testing has become primarily the responsibility of developers, with security taking on more of an enabling role – crafting and communicating policies, assisting with remediation and mitigation guidance, and implementing developer training. This is a big change for most security teams, and requires not only a mindshift about roles and responsibilities, but also about the level of understanding and knowledge. It’s no longer feasible for security professionals to have a superficial understanding of how developers work; they need a deeper understanding of development processes, tools and priorities. Where to start? Increase your developer knowledge by getting a handle on the following:
Do you know what your developers are goaled on? Do you understand their processes and what slows them down?
It’s no longer practical to make extensive security demands of development teams without any awareness of their workload and priorities. Security and development need to work together, which means understanding each other’s pain. Since developers can’t fix every flaw at the same time, security needs to be pragmatic, be aware of development’s priorities and bandwidth, and help them prioritize the tasks and the timelines.
Having empathy for developers and their challenges will go a long way in making you more effective. Try taking a developer or two to lunch, and have them explain their processes and challenges. Another option: Shadow a developer for a day or part of one to understand their challenges and processes.
Further, check out online developer community like StackOverflow or developer.com. Find out what developers are thinking and talking about. Look for security-related topics and questions, and contribute to the conversation where you can.
Do you understand container technologies, build systems, or configuration management tools?
Ultimately, you should have a firm grasp on how developers are producing code, checking code into source control, spinning up environments and deploying code to the pipeline. You need this understanding to optimize how security testing is integrated into these processes.
Focus on gaining a high-level understanding of the tools and what they do, rather than details about specific tools.
Do you understand how DevOps is different from Agile or waterfall? Do you understand the benefits and goals of this model?
You definitely need a clear understanding of this development model. Even if your organization hasn’t fully embraced DevOps, this is the future of software development.
How are your developers using open source components? Where are they finding them?
Understanding how code comes into your organization will be increasingly critical. Today, it is very easy for developers to inadvertently pull vulnerable code into your organization. In turn, the security team should put governance in place regarding open source component use.
Could you do some simple coding? Do you know what languages your developers are coding in?
You will need to be familiar with coding practices in order to understand how security fits into them. There are numerous free or almost-free software development classes available. Try Coursera of Ed-X, or consider augmenting a CISSP with a CSSLP.
Does your development team know how to avoid introducing security vulnerabilities into code? Are they familiar with the major security vulnerabilities?
Most developers have not had training on secure coding, either in college or on the job. Find out which training would work best for them – eLearning, instructor-led training, training modules within their current systems? In addition, which flaws are you seeing most often in code? Customize the training based on the specifics of what your team needs to work on.
We’ve created a toolkit of resources to help the security team boost their development know-how. Download Understanding the Dev in DevSecOps: A Toolkit for the Security Team to get a valuable bundle of assets on everything from the basics of DevOps and CI/CD to open source component use and best practices for securing DevOps.