Executive need to listen


​​When Dev meets Sec

Bringing developers and security teams together doesn’t have to put speed at odds with safety. DevSecOps ultimately improves culture and products.

By Christine Kent, Workflow contributor

When the zero-day vulnerability Log4Shell put millions of applications, databases, and devices at risk, hundreds of companies scrambled to mitigate the threat. The situation was critical: Researchers logged more than 800,000 related attacks within 72 hours of disclosure. The National Vulnerability Database, a U.S. government project that catalogs and assesses exploitable cyber risks, rated it 10 out of 10 on its scale of serious threats. Wired called it a “full-blown security meltdown,” adding, “the Internet is on fire.”

Naturally, cybersecurity teams were on the front lines of the fight. But many companies that fared the best took an additional step. They brought product developers to the table, too.

JupiterOne, a cybersecurity firm, was among them. Working hand in hand, security experts and product engineers evaluated the company’s security posture and let all teams know where any vulnerabilities lay and how to tackle them. While the security specialists took the lead in identifying risks, the developers guided them through the ins and outs of products they knew intimately because they had created them. JupiterOne easily fended off any potential attacks.

The need to stay one step ahead of cybersecurity risks like Log4Shell has been driving a growing number of companies to get serious about this kind of collaboration. Known as DevSecOps because it brings together the product development, cybersecurity, and operations teams, the approach is still taking shape. For some companies, it can mean introducing testing processes earlier in the development cycle; others may choose to fully merge teams. The biggest challenges to successful implementation are often cultural, but the benefits are increasingly hard to ignore.

Baking security into development projects is not just about mitigating risks. It also saves money. Mark Miller, vice president of community engagement and outreach for The Linux Foundation and co-author with Edwin Kwan of the book Epic Failures in DevSecOps: Volume 1, says the cost of remediating security holes can be far higher once a product is on the market. “You can fix the problem now for $1,000, or you can fix it down the road for $20,000,” Miller says.

Realizing these savings requires integrating security into software development and deployment. This may mean security reviews of the code itself, or security pros playing the role of hackers to try to uncover vulnerabilities. Software developers then work to address weaknesses before continuing to add features or capabilities. This process is repeated multiple times through the development cycle.

You can fix the problem now for $1,000, or you can fix it down the road for $20,000.

This so-called “shift left” culture—moving code testing and quality control earlier in the software development process—has been raising the profile of DevSecOps. The goal of the movement is to help eliminate problems like security vulnerabilities before products get to market, where risks like Log4Shell could lead to downtime, loss of data, or worse.

“There’s an understanding that there are tangible, financial reasons to fix something, or to make something secure as part of the process, instead of going back and doing rework,” Miller says.

But embedding security processes or people into software development doesn’t always come easy. Developers prize speed and agility. They’re there to move fast and build things. Their performance is often gauged by how many code releases they can deliver. A security team’s mission, on the other hand, is to carefully inspect every possible attack vector in the company’s systems, and remediate problems. They need to move methodically.

“Security is a small part of the developer’s job, until you get a call at 3 a.m. about a zero-day vulnerability release or an attack,” says Epic Failures co-author Kwan, who is head of application security at Tyro Payments, a fintech company based in Australia. “Once you get calls like that two weeks in a row, you think more about security.”

To balance the competing priorities of pushing code and maintaining security, a sometimes adversarial relationship has to become collaborative. At Tyro, the DevSecOps process starts at the top, with a committee that includes the CTO, CISO, the chief product officer, and the chief risk officer. Product owners and security experts who gauge how to handle security risks for new products also join in, particularly when the development team or product owners want to accept some risk while accelerating product launches. Talking through the risk, Kwan says, is better than sweeping it under the rug.

“Maybe developers want to reduce the number of sprints to deliver the project faster, or maybe the security team agrees that a specific security issue has a low likelihood of being a problem,” Kwan says. People on the team might have different ideas about how secure is “secure,” he adds, but all stakeholders come to a place where they understand the risk/benefit equation. If the risk is considered medium or high, then senior executives will have to sign off on the decision, so that everyone understands the potential challenges of the security posture.

Developers who don’t want their code changed or nixed because it doesn’t meet certain security standards are missing the point, according to Jasmine Henry, JupiterOne’s field security director. “Security isn’t the ‘department of no’ in a culture where builders embrace security principles,” she says. “It allows everyone to collaborate faster and more effectively.”

To support this collaboration, JupiterOne publishes security policies as “run books,” or lists of procedures, on GitHub, where the company houses its code. The security team’s meeting minutes and security playbooks are also available on GitHub. Internal dashboards allow developers and executives alike to monitor key organizational security and DevSecOps metrics, including vulnerability management, risks, and secure code. And security engineers are embedded with product management and site reliability engineering teams, advising developers on vulnerabilities to be addressed through code. The result is a greater and more decentralized focus on security over the entire product lifecycle.

Even at a company that is already focused on cybersecurity, DevSecOps has to become a conscious practice. At JupiterOne, that includes company leaders who cheer on successful integrations between developers and security experts, cross-department KPIs and practices that support DevSecOps, and training for engineers who want to strengthen their security knowledge.

Henry says it’s leading to increased interest in security among engineers.

“I’m seeing a lot of interest in adopting better and deeper security training programs for engineering teams,” Henry says. “Every organization can accelerate a DevSecOps culture by investing in better security training for engineers, launching a security champions program, and ensuring that engineers who pursue extra security training are rewarded.”

They’re investments that promise to bolster security and the bottom line.


 Facilitate Collaboration Between IT Operations Management and Security Operations with AIOps

Related articles

Securing hospitals against cyberattack
Securing hospitals against cyberattack

The healthcare industry is a soft target for nation-state and terrorist hacking groups. Waiting for the next attack is not the answer.

Navigating the future of data privacy
Navigating the future of data privacy

How AI and design thinking could help keep data safe

Companies are playing catch-up on cybersecurity
Companies are playing catch-up on cybersecurity

For many organizations, investing ahead of the breach is a hard sell

Cybersecurity risk in 5 stats
Cybersecurity risk in 5 stats

Security breaches and budgets are both on the rise, according to new research


Christine Kent is a San Francisco Bay Area‑based writer who covers technology and security.