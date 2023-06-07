Developers and Security Teams: How to Improve Collaboration

Developers and security teams often have a strained relationship, with developers feeling burdened by security tasks and security teams frustrated by developers’ lack of action. However, improving collaboration between these two teams is essential to protect products from security vulnerabilities. To do this, it’s important to understand the concerns of developers and implement security tooling that encourages and empowers engineers to participate in security. In this article, we’ll explore some of the top issues inhibiting successful developer-security collaboration and suggest ways to address them.

Issue 1: Lack of business context

One of the main reasons why developers find security tasks burdensome is that security risks are rarely contextualized within organizations. Developers may not see the business case for security, especially when new features appear more valuable than inspecting security issues. To address this, provide clear context – both within the security team and to the development team – on why a security task is important. If security isn’t providing this context, then developers are being asked to forgo new feature development in favor of security issues without clear understanding as to why the extra attention is required.

Issue 2: Unclear prioritization

Developers often fear new security tasks because they can come out of the blue and are all treated as critical, without regard for developers’ other scheduled work. Clear and consistent prioritization is key. Developers need to know when a vulnerability is truly critical or high and should take priority over product work, and why. They’ll also welcome assurances that time spent patching critical issues will be recognized in their overall productivity.

Issue 3: Disputes over ownership and responsibility

Most Dev-Sec disputes stem from doubts over who’s responsible for a vulnerability. Developers often feel like their role is to engineer new features, while security and DevOps should take care of aspects such as the software supply chain, developer access management, detection of hardcoded secrets, and environment hardening. Yet security can credibly claim that developer input is required in many of these areas. The security team should have a clear remit for which risks should not be queued with developers. If developers are constantly taking on all security tasks, it can be a sign that security should bring more of its work in-house.

Issue 4: Long feedback loops

Developers hate being slowed down or interrupted. Unfortunately, legacy security testing systems often have long feedback loops that negatively impact developer velocity. Whether it’s complex automated scans or asking the security team to complete manual reviews, these activities are a source of friction. They increase the delay between making a change and verifying its effect. Security suites with many different tools can result in context switching and multi-step mitigations.

Issue 5: Insufficient ability to make change

Developers may not have precise security-specific knowledge or the ability to enforce good security practices if they’re unfamiliar with common attack vectors, are working in an unknown part of the code, or haven’t been introduced to the organization’s security standards. Developers may struggle to stay updated on rapidly changing security expectations, which can have the effect of pulling the rug from under developers, suddenly tasking them with addressing a slew of new failures in code that was acceptable yesterday, last week, or last month.

How to change developer minds

To change developer’s minds about security tasks, provide developers with support so they can contribute to fixing security problems, without detracting from their engineering productivity. Provide a clear security toolchain that includes static application security testing (SAST), software composition analysis (SCA), dynamic application security testing (DAST), scanning commits for exposed secrets, and monitoring systems. Your tools should provide developers with simple solutions for fixing discovered risks, as well as notifications for any fixes that were automated on their behalf.

Help developers maintain velocity by implementing mechanisms that allow security work to occur more efficiently, without impacting development velocity. Truly frictionless security requires a new approach that gives you rapid targeted feedback on vulnerabilities, with clear remediation paths, and the ability to fix vulnerabilities as they are identified.

In conclusion, improving collaboration between developers and security teams is essential to protect products from security vulnerabilities. By understanding developers’ concerns and implementing security tooling that encourages and empowers engineers to participate in security, you can improve the relationship between these two teams and protect your product.

