One of my favorite movie quotes of all time is from Cool Hand Luke: “What we’ve got here… is failure to communicate.”
It’s so apropos because better communication could help avoid a majority of problems — at work and in life. Alas, a recent Trend Micro survey (covered on DevOps.com), found 89% of respondents thought software development and security needed to be in closer contact. 89%!
Clearly we all have a failure to communicate. The numerous ramifications of this breakdown include more WIP, significant technical debt, and less security. You know — all those things DevOps is supposed to address. The entire DevOps movement is predicated on breaking down these barriers and integrating processes across the Dev and Ops continuum, with security sprinkled in everywhere.
But we understand. Change is hard. Behaviors have been baked in for decades. It is easier to point fingers than to actually address the root causes of issues, and utilize more integrated processes to greatly reduce development friction.
The survey shows that the entire DevSecOps process lacks both common tools and shared accountability. Across 1,310 survey respondents, 61% wanted greater integration between teams, 58% felt they need to set common goals, and 50% thought sharing learning experiences across teams would help get there. We can’t quibble too much with those objectives, but real progress likely requires both time and a senior management mandate that teams work together… or else.
You probably shouldn’t hold your breath for either, so what can we do in the meantime? Here are 3 things security teams can do pretty much immediately:
- Add value to architecture: Developers are incented to ship code and ops folks need to keep systems up and running. Security issues impact both those objectives, so offer guidance on _how_ to build and operate more securely. Not preach, not browbeat — offer guidance and prove that you can help them achieve their goals — and be more secure.
- Offer shared services: The security team has always been responsible for many security controls, but with the advent of DevOps those teams have been doing it themselves, if at all. So providing a means for these teams to leverage shared offerings like IAM, logging/monitoring, alerting, and incident response adds value — and also makes sure security is part of the discussion.
- Implement Guardrails: I’m sure you’re shocked to see that in our list, but providing cloud security automation with a guardrails service is critical to scaling security and integrating it into DevOps. Assessing (and over time enforcing) the organization’s best practices for security and operations ensures security doesn’t slow down DevOps, while integrating security.
Building relationships takes time, especially when historical mistrust exists between groups. So expect some fits and starts as you move down the path to break down these silos and improve communication. Be diligent about it, spend time together, and keep in mind that it’s much easier to get these teams to build security in if they understand how it can help them achieve their goals.