RSA Conference 2021-In the virtual session of the RSA Conference, a security consultant told participants that the disconnect between the security team and the development team continues to cause trouble for the company in protecting the software and its infrastructure.
Chris Romeo, the CEO of training provider Security Journey, believes that the company is undermining its application security plan by not putting more effort into breaking the wall between developers, security and operations. A central problem is that many security professionals are not coders and do not understand their motives and motivations. At the same time, developers view security as busy work and say that application security tools generate a lot of false positives.
Romeo refers to this tension between developers and security personnel as “the disconnect between developers and developers,” when developers and security personnel see each other as enemies, not partners.
“As a developer, I sit here and say to myself:’These security guys are always obstructing them, they always slow me down, they have arbitrary demands, [and] They can’t make up their minds [when] We need to put these new features into production. “He said, “On the other hand, the security department said,’These developers, they are lazy, they didn’t use the guidance we provided,… [and] Their code is not safe. “
A recent survey conducted by DevOps service provider GitLab showed that 68% of companies said that DevOps and agile programming have become the method most companies use to develop applications. The survey found that most developers (71%) believe that security is their responsibility or a joint responsibility with another group.
However, Romeo of “Security Journey” said that developers and security teams still need to improve their collaboration. He told attendees that security teams often require tasks to be performed instead of providing recommendations, and the lack of detailed security processes often leads many developers to believe that security decisions are arbitrary and always hinder their work.
He said that instead, the company must not only focus on safety issues, but also celebrate success.
He said: “By celebrating the victory of security, we can make security good for our developers, not always bad.” “It’s not difficult to do one thing, but developers often only hear that the sky is always falling.” .”
Romeo’s recommendations for security teams and companies intending to improve their application security plans include: adjusting tools to reduce false alarms, jointly determining the appropriate amount of resources for security needs, educating developers on security knowledge, and educating security professionals on development information.
He said: “We always start with what or how… We don’t take a step back and say,’This is why you need to do this.’ “Help people next to the project understand why safety is so important to your customers. Not for you as the security team, not for your executives, not for other teams within the company, but for your customers. “
Part of this is the creation of indicators for the return on security investment. Romeo said, for example, an important indicator is tracking the rework required to fix errors with security components.
Another major recommendation: make sure that security professionals and developers know that they need to work together to make the business successful, rather than declaring a person as a gatekeeper. He said that the guardrail is good, but developers need room for maneuver.
Romeo said: “We have guardrails to prevent us from driving down the hillside.” “If they are only two inches away from your car and don’t give you room to maneuver, then they won’t work. Safety guardrails need to be in the development process. Gives you some freedom.”
Romeo sees the disconnect between security personnel and developers as an ongoing problem, and the GitLab survey released earlier this month highlights some hopeful trends. Although security and application testing is still a headache for developers-40% of developers worry that it is too late in the development process-but 72% of developers still think that the security of their organization is good Still strong, 13 points higher than safety a year ago.
The survey found that approximately 43% of survey respondents deploy software at least once a week.
A senior technical reporter for more than 20 years. Former research engineer. Wrote for more than twenty publications, including CNET News.com, “Dark Reading”, “MIT Technology Review”, “Popular Science” and “Cable News”.Won five awards in journalism, including the best deadline…View full bio