Survey surfaces DevSecOps cultural challenges

There’s been a lot of focus on the often-dysfunctional relationship between cybersecurity professionals and application developers of late, but it’s not clear much in the way of real progress is being achieved.

A global survey of 606 IT, security, application development and DevOps decision makers at organizations with more than 500 employees finds that the biggest barrier to adoption of DevSecOps best practices remain largely cultural (71%) rather than technical. The trouble is the survey finds only 16% of respondents plan to prioritize addressing those cultural issues in the next 12 to 18 months.

Only 30% expressed confidence in the current level of collaboration between security and application development teams. In contrast, 46% of respondents were not particularly confident, while nearly a quarter (24%) were not at all confident. Just over half of respondents (51%) admit they are only somewhat familiar with how security fits into a DevSecOps workflow.

Specific issues that need to be addressed include defining a clear set of policies and procedures (66%), defining the role and responsibilities of staff across teams (62%); creating a continuous feedback loop (49%), and automating recurring security tasks (41%).

Finding a path forward

The core issue is the degree to which cybersecurity teams should be involved in application development. There’s clearly a concerted effort to push more responsibility for application security further left toward developers by, for example, embedding security tools within their integrated development environments (IDEs). The challenge is that even when those tools are provided it’s not clear that developers can distinguish between the severity of one vulnerability versus another. In most instances, security was at best an elective that some developers might have been offered in college but few actually took.

While providing developers with more security tools is not necessarily a bad idea, it’s clear there is a need for some type of centralized security function to better ensure application security. It’s that need that makes narrowing the current cultural divide between cybersecurity professionals and application developers so crucial. That can’t happen, however, if cybersecurity teams don’t really understand how modern applications are developed. That doesn’t necessary mean cybersecurity professionals need to be able to dive deep into application development workflows, but it does mean they should at the very least understand how applications are constructed to make sure the appropriate security guardrails have been put in place.

There is no doubt that the DevSecOps journey ahead will be long. Each cybersecurity professional will need to decide for themselves how best to engage application developers. The important thing is too make the effort. Even the smallest of changes to application development processes can have a profound impact on security. The challenge is to quickly identify those opportunities at a time when cybercriminals have significantly stepped up their efforts to compromise software supply chains that are rife with known vulnerabilities. In fact, cybersecurity professionals have a vested interest in helping to secure those supply chains. After all, every vulnerability that doesn’t find its way into a production environment is one less problem cybersecurity professionals will be asked to help resolve later on.