How To Strengthen the Relationship Between Security and Engineering

Historically, there has been a disconnect between security and engineering teams.

At best, security and engineering teams have a tense working relationship. At worst, they don’t interact at all. This presents a huge problem. Both teams fulfill vital functions, and effective co-working is critical to the success of the organization.

At our recent Shift AppSec Summit, we held a cross-functional panel of security and engineering leaders to dig into the problem and find real solutions.

Here’s what we found out.

Where Does the Tension Arise?

Security and engineering teams are incentivized differently. Developers are incentivized to ship new features and build systems that are reliable, high-performing, and low-cost. Security teams are incentivized to minimize incidents and ensure everything conforms to strict protocols. This disparity creates a systematic tension.

How is Security Embedded in Optimal Development?

Security needs to ‘shift left’ as far as possible. For that to be achievable, security needs to be considered as part of an organization’s overall system health.

Engineering teams intrinsically understand quality and reliability. Ideally, these concepts should have well-defined release criteria that includes security.

Using this model, security bugs can be treated as quality bugs and treated accordingly.

What Goes Wrong in the Real World, and Why is it a Problem?

Many organizations find themselves at a point where everybody is saying the right things, but nobody is doing them. This often boils down to a behavioral problem — it’s easy to get agreement, but hard to change behaviors.

The way security and engineering leaders behave has a trickle-down effect. For effective co-working to be possible, leaders have to proactively build relationships between the departments and model the behaviors they want to see.

Make Change Before it’s Too Late

Every business starts with a drive for functionality. As things evolve, it reaches a maturity stage where quality and reliability become equally important. It’s at this tipping point that security must be properly embedded.

If too much ‘tech debt’ builds up — i.e., systems become too complex, and the code-base too large — a business can go beyond the point of no return. Their products simply will not be able to scale.

To avoid this, businesses must standardize, simplify, and automate coding practices — including security — before they reach this tipping point.

How Can Security Work More Effectively with Engineering?

The most important thing security teams can do is build up credibility within the business. There are a few ways to go about this:

• Give solutions instead of just pointing out problems. If you don’t offer solutions, you will lose credibility.

• When the business invests in security, show real value-added. Help make security a business-wide concern, not a security concern, and each management and employees to value security metrics.

• Understand that security doesn’t own risk. There are plenty of other risk areas to be managed outside of security, and they are equally important.

• Help other teams ‘win’ at security. The security team isn’t there to ‘do’ security. It’s there to help the business do security better.

What Should Engineering and Security Teams Stop Doing?

Collaboration isn’t just about doing new things — it’s also about not doing things that create tension. To finish off the session, our panelists riffed on the things they’d love to stop seeing:

• Security teams need to stop throwing vulnerabilities over the fence from scanner products. There must be a dialog about why a vulnerability is important and how to address it.

• Engineering teams need to stop getting defensive when security issues arise in their code. Open communication is critical.

• Security teams need to stop assuming engineers share their perspectives. Both teams should explain what outcomes they need, and work together to find shared goals.

• Engineering teams need to stop thinking of security as a separate entity. Security must be built into the software development lifecycle.

To watch a full recording of our ‘Fixing Vulnerabilities at Speed: Where Security & Engineering Intersect’ panel. Panelists included Caleb Sima, Julie Tsai, Denali Lumma, Chris Patalano, and Kri Lahiri.

Video: Fixing Vulnerabilities at Speed

Interested in learning more about how Cobalt helps fill the dev<>sec divide?

Furthermore, understanding where your company lives on the security maturity spectrum can help empower better decision making across your security and engineering teams.