There’s something to be heard in the conversation.
By John Worrall, CEO at ZeroNorth
We live in a world defined by software, which is precisely why it must be secure. From the everyday applications, we use on our devices to the avionic software of modern commercial aircraft, the code embedded behind the functions of civilization matters in every way. But there’s a problem. Our current approach to building and delivering this critical software is now in the midst of a serious evolution, as it moves from siloed processes and mindsets to something more unified.
Our current model for building secure software often revolves around buying a scanning tool… and then another… and another… until we find ourselves with a craftsman-like approach that produces data in different formats. Aside from the deep knowledge needed to run each tool, the even bigger obstacle is processing the overwhelming amount of information resulting from those scans. And just like a craftsman-style approach, it isn’t scalable and can’t cover the needs of a growing business—or a planet becoming increasingly reliant on software.
Proof of the Problem
Fortunately for those who care about the security of modern applications, there are some solutions on the horizon. A recent report conducted by the Ponemon Institute and sponsored by ZeroNorth provides some real insight on how the ownership and governance of application security is fragmented and in need of repair. But this “repair” comes from better relationships, not better code.
Ponemon’s report clearly illustrates just how deep the divide between AppSec and DevOps has grown, more specifically around the issue of how to build secure software from day one. According to the research, 77% of developers say this existing schism affects their ability to meet organizational expectations, such as deadlines, while 70% of AppSec professionals claim the divide puts the security of applications at risk. And what we see as a result is not technology holding up progress, but people.
As organizations continue to look for more effective ways of prioritizing software security, without impacting productivity, they are realizing that developers view these measures as a hindrance to innovation and speed. And, of course, AppSec teams believe DevOps should be far more vigilant about ensuring security happens at all stages of the development life cycle. In fact, 65% of security pros say developers publish code with known vulnerabilities, while the same exact percentage (65%) of developers say the security team doesn’t understand the pressure they’re facing. And therein lies the misalignment.
Another part of this misalignment comes from a lack of clarity about who actually owns the security piece in the first place. Only 67% of AppSec professionals believe their team is ultimately responsible for the security of software applications, compared to just 39% of developers. These numbers alone indicate a massive gap in the larger security effort, a gap that raises serious questions about accountability and visibility. When misalignment within an organization is this extreme, and no one knows who’s “watching the kids,” the integrity and success of the business is jeopardized.
Thoughts for the Future
So, what does a more unified mindset around security look like? It starts with a mutual understanding of each other’s roles and responsibilities, of each other’s requirements. A more federated outlook on AppSec means everyone involved—from security to business to product leaders—are doing their prescribed part to ensure security is prioritized. But it requires a coordinated effort and unified approach. The work is fragmented and so are the results. Everyone has to bond on their shared desire to build and deliver quality software to market, together as a larger team.
Then we can improve things. This divide between security and development professionals offers up a much-needed opportunity for change, in both thinking and practice. With the right moves, CISOs and other security leaders can bridge this gap by embracing a unified approach for AppSec. This would allow security teams to set standards and provides frameworks, while DevOps and product teams execute their work within those guidelines. By serving as a unifier, CISO and other security leaders have a chance to make security front-and-center, without hindering the speed and velocity requirements of the Dev teams.
The “right moves” will be different among organizations, but modeling a mindset and culture of security first is a great start. Everyone involved needs to remember that a robust AppSec program is not just nice to have, or worse an obstacle—it’s a business imperative. In this scenario, CISOs can advise teams to formulate a stronger coordinated effort, where security, DevOps and business teams come together for the good of software, for the good of the world. It may sound dramatic, but it’s entirely true.
Security leaders also need to ensure the proper resources are allocated to safeguard applications in the development and production phase of the software life cycle. This includes training and support to help developers build the necessary secure coding skills. They also need to implement continuous testing throughout the development life cycle, starting at code check-in, to find and fix vulnerabilities early in the process. These moves help to stay on top of vulnerabilities, improve developer productivity and get product releases out the door on time. As members of senior leadership, CISOs need to build security into the organization’s overall risk management strategy and report out on the business’ most important KPIs.
Where we go from here is actually pretty clear. We need to build a shared vision, bring teams together and communicate about who does what and when. Commitment from both sides is critical to build this kind of collaborative relationship, but it is possible. And once everyone acknowledges the many ways security can improve the final outcome, including all the business benefits resulting from strong product security, they will hopefully find things just work better when everyone’s on the same side.
About the Author
John Worrall joined ZeroNorth in 2019 as chief executive officer, leading the company in its delivery of the only platform for risk-based vulnerability orchestration across applications and infrastructure. As CEO, John heads up all aspects of the company’s strategy, product, operations and go-to-market functions. Prior to this role, John was chief marketing officer (CMO) at CyberArk, where he played a critical role in leading the company through its initial public offering. He also held the position of executive vice president at CounterTack, serving on the leadership team that secured the company’s Series A funding. Before his time at CounterTack, he was the chief marketing officer at ActivIdentity; vice president and general manager of the Security Intelligence & Event Management business unit at RSA; and CMO at RSA. John holds a bachelor’s degree in economics from St. Lawrence University.