Getting Over the Security-to-Business Communication Gap in DevSecOps

  /     /     /  
Publicated : 23/11/2024   Category : security


Getting Over the Security-to-Business Communication Gap in DevSecOps


Application security in a DevOps world takes more than great teamwork among security, developers, and operations staff.



As application security teams seek to improve their practices to account for the swift software release cadence set by DevOps and agile development processes, collaboration has been the name of the game. Security leaders and practitioners have been asked to better integrate with developers and operations pros to streamline the way security is enmeshed with software delivery practices.  
Fostering close relationships with dev and ops will ideally help security teams provide tools that makes sense within the DevOps working environment, that automate security testing tasks, and that seamlessly validate and secure fast-changing cloud infrastructure that supports development and production environments. Additionally, the collaboration sets up a communication channel for security to educate DevOps teams on how to transform the way they manage risk throughout the software life cycle. 
But to achieve all these goals, theres often one huge relationship hole that security organizations neglect in their DevSecOps collaborative efforts — and thats with the business, both at the executive level and among application owners. 
When we build out our process and procedures, we have to integrate ourselves as a security group into the business as well, says Brad Causey, CEO of Zero Day Consulting, an application security consulting firm, and a speaker for 
the Cybersecurity Crash Course
 to be held by Dark Reading during Interop Digital early next month. So we have to be understanding, involved, and integrated from the very first time they sit down and start talking about [application] requirements. ... The security team has to be involved in that.
This kind of design thinking mentality for ensuring DevSecOps success is a big theme in the
Capgemini Global DevSecOps Insights Report 2020
, which the consulting firm released a few weeks ago. Capgemini experts explained that high-performing teams are 50% more likely to embed security in the design and build stages of software development than bottom-quartile teams. 
But a big obstacle getting in the way of achieving this is a security-to-business collaboration gap that has hamstrung nascent DevSecOps programs from progressing past the bottom rung of maturity. Heres why, according to Causey. 
You really have to have some buy-in and at least some level of understanding and education at the business side because they own these apps. If Im in a big bank, for example, the mortgage department owns the online mortgage application, he explains. So theyre responsible not only for producing the application, but understanding and directing risk management work associated with it.
These application owners drive DevOps team priorities, so if security isnt getting a bug in their ears, it doesnt matter how good of a relationship security has with developers — the devs are going to march to the beat set by these business stakeholders.
Ive seen this a million times over my career where we would do a pen test on a web app, go back to the developer and say, OK, here are the vulnerabilities that we found, and theyre going to say, Well, thats cool, but Im working 80 hours this week on this new release that has to go out with this new functionality. So what do you want me to focus on? says Causey. Well, thats not my decision, right? Thats up to the business unit and the sponsor of the application.
This is likely one of the big reasons why even on DevSecOps teams, some 69% of security pros say it is still difficult to get developers to actually prioritize fixing bugs, according to the recent
Mapping the DevSecOps Landscape
survey report from GitLab.
In his upcoming session during Interop Digital,
Making Applications Secure in a DevOps World,

 Causey is going to get into the dynamics of the disconnect between security and business stakeholders and offer advice on how to get past it. First among them is the CISO needs to be chief salesperson and listener to get business stakeholders tapped into the AppSec program and tie AppSec goals to business priorities.
They are in a unique position because they have a seat at the [C-suite] table, Causey says. [As a pen tester], I dont have that seat and neither does the security manager or the appsec guy or whatever practitioner it is. So CISOs have to leverage the fact that they have a strong audience of influential folks within the organization to sell the program.
When it is time to hand over management of the program to security practitioners, the whole team also needs to back up that early sales work with metrics and support that add value and proves it to the business stakeholders. This means showing a reduction not only in vulnerabilities, but also in the time and resources it takes for everyone to address them.   
Then as the relationships grow, the CISO still needs to serve as ambassador to manage politics and translate cybersecurity insight to business language. This is crucial when friction inevitably arises as everyone tries to strike the balance between managing risk and delivering features, Causey explains.
Those folks speak a different language, and we want the CISO in our back pocket as an ambassador when we run into problems like that, he explains.
 

Last News

▸ Researchers create BlackForest to gather, link threat data. ◂
Discovered: 23/12/2024
Category: security

▸ Travel agency fined £150,000 for breaking Data Protection Act. ◂
Discovered: 23/12/2024
Category: security

▸ 7 arrested, 3 more charged in StubHub cyber fraud ring. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Getting Over the Security-to-Business Communication Gap in DevSecOps