• Scott McKellar

    Scott McKellar is currently a Technical Consultant at Mimecast where he has been since early 2019. Scott has been working in the technology industry for fifteen years and is passionate about technology & security. Scott enjoys understanding his  customers and prospects often complex business challenges and aligning them with technology to solve problems and add value. Prior to his role at Mimecast, Scott headed up the technology team for an Australian leading Wi-Fi analytics SaaS and IaaS provider; Discovery Technology (a Data#3 company).

    Comments:0

    Add comment
Content

Development and cybersecurity teams are generally on the same side, but it doesn’t always feel that way.

Developers are under pressure to meet tight deadlines and deliver innovative applications, while security teams must ensure products are safe. The result? Development teams can feel they’re being held back by last-minute changes and nit-picking, while cyber can get the impression developers are happy putting out apps with serious vulnerabilities.

Some friction between these two directives is inevitable, but it can be reduced by better communication – and by baking security into app development from the very start.

Why the battle lines are drawn

The relationship between developers and cybersecurity is often characterised by a lack of understanding. One survey showed that 67% of cybersecurity teams thought they had ultimate responsibility for application security – but only 39% of developers agreed. The research also suggested that within cyber teams:

  1. 71% felt developers undermined security by being careless early in software development

  2. 53% believed that developers saw security as a hindrance to releasing new apps

Specific efficiencies found by developer teams, such as automating some functions and using potentially vulnerable open-source code, can prove a nightmare for cybersecurity. Fixing them may end up slowing app release, but if they’re not fixed a serious breach may result. Over three-quarters of Australian organisations said they were hurt by their lack of cyber preparedness in 2021.


The secret sauce is better collaboration

If teams are pushing in different directions, your organisation will feel the strain. You can start to improve the cyber-devs relationship via small adjustments that help teams collaborate better. To build a genuine partnership, the right people need visibility into app security from the get-go. And by get-go we mean at the scrawling-workflows-on-paper stage, long before a single line of code is written. The end game is a unified vision of security and app development that starts right at the top – and will involve significant cultural shifts.


Good communication is a vital start

Understanding where the other person’s coming from is a great help in any relationship. Developers are often blamed by cybersecurity when vulnerabilities are found. But being fearful of a scolding – especially when you’ve got sales and product teams pressing you hard on release dates – will not help morale. Rather than purely focusing on the gaps or code vulnerabilities developers have left, you might show how rapidly these errors were identified and resolved.

This change in mindset should be married to clear, actionable communication. Developers’ eyes may glaze over if you show them sprawling documents that list security concerns in jargon-packed paragraphs. Straightforward language and an appropriate level of detail is more likely to get them on board. Pointing out a problem is a start – showing how it can be fixed adds real value to your input.


You need both people and automation to get results

Changing up existing processes and flows can seem like a giant ask, but these changes don’t have to be complex. Just meeting regularly can help individuals find common ground and see how goals overlap. Explaining outcomes and consequences in real terms can give colleagues from elsewhere in the business a handle on the risk that sloppy security brings with it.

Collaboration also means listening to developer pain points and being mindful of their crunch times. Coding teams need to move fast – could your team help them by increasing security automation? Scanning for potential issues throughout the software cycle will reduce wait times and ensure security checks are factored into the build.


In-house APIs and DevSecOps approaches can smooth friction

Security assessment should be a part of development projects from requirements gathering onwards. One approach is to create application programming interfaces (APIs) that developers can use as needed. They can check library versioning, scan for vulnerabilities or undertake other relevant tests to make sure essential security bases are covered. This technique gives security a clear input and developers a relatively frictionless path to follow.

DevSecOps approaches foreground this kind of integrated application design, and set cybersecurity as a central part of product quality, rather than a late add-on. An effective DevSecOps program will allow developers to identify problematic code early and deal with it during production.


Leadership and cultural shift across organisation

Whether you formally adopt DevSecOps or take more informal measures to improve the involvement of security in application development, a cultural shift is key. Buy-in from your board is important in ensuring collaboration efforts run right through the company, and do not peter out before they’ve had time to come to fruition.

That will mean CISOs making their case to other executives, offering relatable metrics and explanations that illustrate how any changes will support wider business goals. Offering targeted, relevant and frequent training across the board, meanwhile, can help ensure cybersecurity is baked into not just your application development, but your entire organisation.


How to build better relationships between security and developers

Siloed teams are the enemy: poor communication can leave a gap between cybersecurity and development teams. Resentment, confusion and serious software vulnerabilities can result.

The first steps in improving app development and security include making sure messaging is clear and appropriate and ensuring different teams understand each other’s needs. Organisations that fully commit to bridging the gap will enjoy secure applications that need minimal, if any, security interventions after roll-out.

Ultimately, everyone wants secure, high-quality applications to release on schedule. Shared responsibility and effective collaboration can help bridge the gap, and help your organisation build better, safer applications that are better equipped for today’s threat environment.

Scott McKellar is currently a Technical Consultant at Mimecast where he has been since early 2019. Scott has been working in the technology industry for fifteen years and is passionate about technology & security. Scott enjoys understanding his  customers and prospects often complex business challenges and aligning them with technology to solve problems and add value. Prior to his role at Mimecast, Scott headed up the technology team for an Australian leading Wi-Fi analytics SaaS and IaaS provider; Discovery Technology (a Data#3 company).

Stay safe and secure with latest information and news on threats.
User Name
Scott McKellar