Fixing software’s security problem requires a C-suite cultural shift, writes Paul Santapau, CTO of the cyber threat modelling platform IriusRisk.
As the cyber threat landscape continues to evolve, the need for integrated and comprehensive software security and data protection is more necessary than ever. Security is often considered as an afterthought by developers – leaving products, services, and high-value data within the public and private sector vulnerable to breaches.
While a recent Gartner study showed that 88 per cent of C-suite directors now view cybersecurity as a business risk, a cultural shift is still required to ensure that security practices don’t fall by the wayside in the pursuit of business growth.
Put simply, software security is about mitigating risk and protecting software systems from vulnerabilities. As companies grow and scale their platforms, ensuring software is secure is paramount. The quality of software that businesses’ create is only of value if vulnerabilities are addressed early in the software development life cycle (SDLC). Otherwise, sensitive data risks being exposed which can in turn lead to financial losses.
‘DevSec Disconnect’
There is a phenomenon relating to the disconnect between security teams and developer teams that has been coined the ‘DevSec Disconnect’. The ‘disconnect’ is largely due to software developers being problem-solving boundary-pushers, which can cause friction with security teams that are often averse to risk.
Security practices are often seen as a blocker to a developers’ drive for innovation with nearly half of a developer’s working day being spent on the upkeep of compliant (secure) infrastructure. Historic security practices, such as manual threat modelling, are also viewed by developer teams as a hindrance when creating complex applications. The ‘disconnect’ is compounded by the fact thathalf of security professionals struggle to get developers to make remediation of vulnerabilities a priority.
This ‘disconnect’ is reinforced when C-suite leadership prioritises a ‘race to market’ strategy instead of releasing secure applications. Developers face mounting pressure to build rich, feature-driven applications in short time frames. This leads to a battle of agendas – mounting security threats against market competitiveness.
While developers are usually aware that building robust and secure code is a prerequisite of the job, cultural expectations from the C-suite mean that they often have to churn out code at breakneck speeds. This can result in gaping vulnerabilities as security is lost in the trade-off for market share.
Solutions from the top
As cyber-related criminal activity continues to rise, the need for Chief Information Security Officers (CISOs) to have a seat at the C-suite table grows. While CISOs understand the benefits of embedding security measures early in the SDLC, problems arise when this is not reflected in the internal practices of the organisation. A cultural shift within the C-suite is needed to fix software’s security problem. Leadership needs to reassess the metrics which they apply to developer teams. Instead of valuing the quantity of output, the focus should be on the quality of the code.
A great example of how the C-suite can reassess its approach to developer teams is Netflix’s ‘paved road’ approach. This is a set of expectations and commitments between the centralised business and their software engineers. The Netflix Platform as a Service team provides a sensibly configured customisable ‘paved road’ platform for developers by offering standardised and compatible components, a pre-assembling platform and extensive automation and tooling. This, Netflix claims, helps the organisation to achieve its goals of “velocity and reliability”. The ‘paved road’ ensures greater collaboration within the business and ensures a shared responsibility for security by all teams.
If you only have a hammer everything looks like a nail
If this cultural change is going to take root, the security tools available must be a help not a hindrance. They need to be built in a way so that they integrate with existing processes and speak the language of developers.
That’s why the most effective way to ensure secure software is with ‘start left’ security. Starting left simply means introducing security at the beginning stages of the SDLC and when combined with DevSecOps (such as threat modelling), it incorporates checks at each development step to ensure the application is fully secured before release to end users. The result is that development teams have a greater responsibility for the security of their code, and ultimately the total cost of delivering the secure software is reduced. Developer output might also be increased due to greater confidence in the security of software design.
Security practices are successful when there is buy-in from top to bottom. As cyber threats continue to evolve and mature, it is more necessary than ever that we integrate software security throughout the entire SDLC. Shifting company culture towards a more collaborative security environment means that security does not become an afterthought, but a process initiated from the top and carried through to developer teams. The ultimate gain being that organisations design and release more secure software.
