Development vs. security: The friction threatening your code

In an era of Digital Transformation, when emerging technologies and applications are defining their own rules, a perennial tug-of-war exists between development and security teams.

Frequent friction lies in the balance of accelerating innovation while ensuring that software is secure and risk is mitigated.

This tug-of-war is not just a battle of priorities but could be imperiling your code and, by extension, your organization’s security.

The Push and Pull: Speed vs Safety

Development and DevOps teams are under pressure to deliver new features quickly to meet ever-evolving consumer demands and increase business innovation.

Resources such as Veracode report that 61% of developers affirm that it’s crucial that security processes do not impede or slow down the development cycle, nor become a barrier to business success.

On the other hand, cybersecurity teams prioritize risk mitigation, driven by the rising number of data breaches and ransomware attacks and the imperative to safeguard sensitive data.

According to Cybint Solutions, a cybersecurity education firm, 64% of companies around the world have experienced at least one form of a cyber threat.

Striking a Balance: Looking at Real-World Examples

The Equifax data breach of 2017 is a prime example of the devastating consequences that can arise from the tension between development and security.

An unpatched vulnerability in the Apache Struts web-application software, which the development team failed to fix, led to the exposure of sensitive data of 143 million consumers.

Uber faced a similar debacle in 2016 when a massive data breach exposed the personal information of 57 million users and drivers.

The breach was the result of poorly managed credentials on a third-party cloud service, with the incident illustrating the critical importance of security in the development process.

Key Advice: Collaboration is Crucial

Given these stark real-world examples, it becomes evident that collaboration between development and security teams is not only desirable but essential.

They should work to foster a security culture within the development lifecycle: integrating security processes and practices from the initial stages of development and promoting education and training within the team.

Utilizing tools that enable secure coding practices, like Static Application Security Testing (SAST) and Dynamic Application Security Testing (DAST), can also help streamline the process and significantly reduce friction between the two teams.

Conclusion: Mitigating the Friction

While the push and pull between development and security looks set to continue, what’s evident is that the biggest winners of a constructive dialogue between the two are your code, your customers, and your business.

The keys to successful alignment are early incorporation of security measures within the development lifecycle, increased training and education, and the utilization of appropriate testing tools.

Follow-Up Reading

1. Help Net Security: Developer Security Team Friction.

2. Trend Micro: Bridging the Gap, DevOps and Security.

3. Veracode: Developers and Security Can Be Friends.