The “Dev/Sec Disconnect” has become a common phenomenon in organizations, especially as developers are increasingly measured according to how fast they are able to build, deploy and execute new applications - and security continues to be seen as the sluggish obstructor to agility. Organizations don’t want to risk disturbing the flow of software to the market or impacting business objectives, but security teams within these same organizations don’t want to expose business to increasing security risks. This push and pull results in what is arguably the most detrimental cultural rift between two critical elements of any organization - developers and their security counterparts.
Designing security solutions for security professionals is no longer enough; if the security community wants to lead - in and out of the board room - it should aspire to bridge the cultural gap by catering to the needs of developers and making their lives a little easier. Using technology to foster trust between these teams was a maximum value for Opus, and we wanted to find a way to get developers interested in security without inundating them with thousands of tickets, entries, and false positives. These are the top 3 tips that worked for us (just ask our engineers):
The pain: Security tells developers what to do without context, tools or explanations. Many developers see themselves as creators, not fixers, and while they may want to help - security teams don’t have the time and resources to explain the remediation processes or guide them through the steps. They are left searching for ways to fix vulnerabilities, increasing frustration and distrust.
The tip: This stems from a lack of trust and a lack of understanding. If developers trusted security teams to give them the most important, urgent and relevant tasks after security teams have assessed the context and requirements - they would be more willing to take ownership. This is where using technology to build trust can have a real impact - developer teams can trust that tickets given to them have a high impact and that tasks are routed to the right person with actionable insights into how to fix the problem.
The pain: Some remediation processes begin with security tools creating a JIRA ticket for each vulnerability, inundating developers with thousands of tickets without helping them prioritize or even see what needs to be done.
The tip: Using tools that automate these processes and understand who is tasked with what and which vulnerability matters more, will help make security a streamlined part of their daily workflow. Using the right set of tools that give developers both security and developer interests can make a world of difference.
The pain: A lack of empathy and understanding between developers and security teams increases tension and hurts the organization in the long run.
The tip: The first step is understanding the mutual struggle and what each team needs in order to reach their goals. Now that security is no longer a siloed responsibility but an organization-wide concern, making the security ROI clear to developers through organizational security training and executive buy-in will invariably make a difference and help developers understand why it is necessary to implement security protocols while they push features into production.
Using technology to fuel a better understanding and improved working environment between the developer and security teams is a critical step for any growth-oriented organization. In the modern business environment, security can no longer see itself as a standalone sector that needs to keep others in check; orchestrating security across the entire organization while streamlining outdated legacy processes that fostered frustration and tension is a key factor in ensuring that productivity, efficiency and security coexist and business thrives.