Survey warns that working relationships must improve among developers
A new report highlights the risks of the often-tense divide between software developers and security teams, calling for greater unity across the two.
The report, from the Ponemon Institute and cybersecurity firm ZeroNorth, asked 581 security practitioners and 549 developers from across the US about their working relationships.
The survey, ‘Revealing the Cultural Divide Between Application Security and Development’, released today, attempted to drill down into the reasons behind the divide.
It found that while developers are less likely (49%) to recognize there is a cultural divide than their AppSec colleagues (75%), employees from both groups disagree on who’s responsibility security really is.
Only 39% of respondents working in software development say the security team is ultimately responsible for application security, the report states, in contrast to 67% of AppSec workers who say that they are accountable.
“This lack of alignment demonstrates the potential for security to simply fall through the cracks if ownership is not clearly understood,” the survey warns.
The buck stops… where?
There are a number of risks associated with fraught communications between DevOps and AppSec employees, particularly when it comes to the potential rollout of insecure products.
According to the Ponemon study, AppSec workers claimed that the fault lies with developers for publishing code containing known vulnerabilities. They also claimed that flaws are often ignored if the application is deemed to be a ‘big seller’.
However, developers said security teams do not understand the pressure of working to tight deadlines and the issues this can create.
Regardless of their reasons behind the apparent juncture between the two groups, the report asserts that major changes need to be made in the way that the teams coexist.
John Worrall, ZeroNorth CEO, told The Daily Swig: “We believe that uniting security and DevOps, along with business teams, is critical and to make this happen we need real clarity on where issues need to be addressed head-on. This is what spurred the research.”
Worrall added: “The bottom line is that there must be clear responsibilities and accountability for application security.
“This will ensure these professionals understand the roles and expectations in terms of building secure software, while also addressing the speed-of-delivery requirements from the business.
“But, if the bridges aren’t built there’s a huge chance security issues will fall through the cracks, and organizations will put themselves at greater risk.”
The report also addressed the complications caused by the coronavirus epidemic, which has seen workforces worldwide switch to remote working.
One consequence that both security and development teams can agree on is the heightened stress levels suffered by IT teams.
The majority of developers (66%) and AppSec respondents (72%) said that remote working is “stressful”. In addition, only 29% of developers are confident that colleagues are complying with security protocols, while just 38% of security workers feel the same.
This added pressure could be a reason why respondents say the security of products has diminished since the move to working from home – a worrying 74% of developers said this was the case, compared to 47% of security practitioners.
The Covid-19 pandemic shows no signs of slowing, so what can be done to solve the problem?
Worrall suggested that the key to fostering better working relationships among DevOps teams and their AppSec counterparts is by employing an effective CISO.
“The most surprising piece is that, despite the current cultural barriers, both security and DevOps teams are hungry for leadership,” said Worrall.
“While it is often lacking today, these individuals are looking for an executive to step up and help unify these teams under a common strategy. From our vantage point, there’s a great opportunity for the CISO to do just that.”
Worrall concluded: “We talk a lot about what we call the federated responsibility model for AppSec.
“In short, this sees the CISO and corporate security set standards and provide tools and frameworks, with product and DevOps teams responsible for implementation.
“In this model, the CISO is a standard-bearer, mentor, and coach, helping DevOps to move quickly while still ensuring corporate has visibility for risk and compliance management.”