Software professionals know that the working relationship between developers and security teams can be complicated. Most security professionals feel it’s part of a programmer’s role to write code securely, but most developers get next to no support to do it.
Despite this dynamic between developers and security architects becoming part of IT lore, the fact remains that these technical teams are two sides of the same coin. Like the head and tail, developers and security specialists have alternative perspectives, which means they don’t always possess clear visibility or awareness of what the other is doing – even though they are working towards the same goal.
The fundamental issue boils down to communication. The predominant siloed approach to software development, with engineering and design coming first and security second, has turned security into an artificial barrier to deployment and increased the risk of vulnerabilities being built into software because security is positioned as a bolt-on feature.
The “shift left” concept was coined 20 years ago and was designed to encourage sooner-than-later testing during development. But it’s my belief that we need to evolve the development and security culture further to “start left”. If we start left with cyber security then it means protection can be baked into product design from the get-go, so both development and security teams would be invested and have a better understanding of process and execution.
Bridging the gap between software development and security
The age-old development process has been the cycle of build, test, fix, build, test, fix. This pattern keeps development and security in siloes and creates frustration among both parties that isn’t conducive for a trusted and collaborative working environment. It also leads to bad outcomes on the product development side, delaying the time to deployment and inevitably resulting in software vulnerabilities that can’t be spotted in post-production.
It is therefore common sense to shift security earlier in the design process. In my experience, one of the major barriers to adopting this approach has been the belief that developers either don’t care or are incapable of adopting cyber security practices in development. This is a myth. All teams want strong, secure products and an easier path to deployment.
What has been missing are the tools for developers to use to implement security into software design, without requiring them to completely re-train as security professionals and without the constant oversight of the security team. This is where the practice of threat modeling has the potential to change the relationship between developers and security professionals and create the ultimate goal of DevSecOps: truly cross-functional …….
Source: https://www.helpnetsecurity.com/2021/12/16/implement-software-security/