The enduring chasm between security teams and developers
The gap between application builders (developers and development organizations) and defenders (security and operations teams responsible for securing apps) is closing slightly, according to SANS.
“This year’s survey shows that builders and defenders are finding better ways of working together,” says SANS Analyst Jim Bird.
That change is evident in the shared focus of the two groups surveyed. In the survey, 53% of respondents say their organizations are thinking about security starting at the planning/requirements phase of the application life cycle. Less than 10% now leave security to the last minute before product release.
Public-facing web, mobile and cloud applications are key development platforms for builders—and those same categories are of the greatest concern to defenders in terms of perceived risk. Budgets are being directed to these targeted areas, with 79% of respondents applying security resources to public-facing web applications, 62% to mobile applications and 53% to applications in private or public clouds.
However, when it comes to challenges in building or defending these applications, the goals of builders are different than the goals of defenders, indicating a continued chasm between security teams and developers.
For builders: Their challenges come from focusing on features and time-to-market concerns, as well as the lack of secure coding skills and management buy-in or funding.
For defenders: Because they handle the lion’s share of application security after development, developers struggle with identifying all of the applications in a portfolio, fear of breaking an application, and navigating through organizational silos that make coordination of efforts more difficult.
“Continued outreach, education and cooperation between groups must continue to improve in order to overcome these challenges,” says Bird.
Targeted, role-specific training in secure coding is essential for builders. But defenders and everyone who is involved in developing software should, at a minimum, understand the fundamental security risks and issues in application development and what their roles and responsibilities are.
“DevOps, new tools and training have helped builder and defender teams to work together,” Bird adds. “But they are still too far apart when it comes to priorities and organizational challenges.”
In fact, 47% of respondents believed their application security programs needed to be improved.
“Executive management is starting to understand the risks and costs of poor application security,” Bird continues, “This still needs to be translated into action.”