Bridging the Gap Between Devs & Security – A Collaborative Suggestion…
After my keynote at Gluecon (Shit My Cloud Evangelist Says…Just Not To My CSO,) I was asked by an attendee what things he could do within his organization to repair the damage and/or mistrust between developers and security organizations in enterprises.
Here’s what I suggested based on past experience:
- Reach out and have a bunch of “brown bag lunches” wherein you host-swap each week; devs and security folks present to one another with relevant, interesting or new solutions in their respective areas
- Pick a project that takes a yet-to-be-solved interesting business challenge that isn’t necessarily on the high priority project list and bring the dev and security teams together as if it were an actual engagement.
Option 1 starts the flow of information. Option 2 treats the project as if it were high priority but allows security and dev to work together to talk about platform choices, management, security, etc. and because it’s not mission critical, mistakes can be made and learned from…together.
For example, pick something like building a new app service that uses node.js and MongoDB and figure out how to build, deploy and secure it…as if you were going to deploy to public cloud from day one (and maybe you will.)
You’ll be amazed to see the trust it builds, especially in light of developers enrolling security in their problem and letting them participate from the start versus being the speed bump later.
10 minutes later it’ll be a DevOps love-fest. 😉
/Hoff
Like everything in Security nowadays I feel we’re oversimplifying things. What works for companies that were build by devs doesn’t work ‘just like that’ for enterprises that have been running into the swamp with their eyes closed. You don’t solve siloed off layers of management with brownbag sessions and you don’t build cloud-ready apps in an org that requires 7 signatures to even start the design phase. However nice we can be, this won’t happen without bloodshed. We just need to find a way to convince c-level executives (and those that are going to die in the process) that it’s a really nice shade of red.
For sure these are valid points.
I wasn’t suggesting this would “SOLVE” anything, but rather the notion of enrolling in one another’s problems is very useful.
Brownbags about new dev architectures or new security approaches make a huge difference. It may not work for you, but the
fact is that sharing knowledge is critical to avoid assumptions…and the entire point of my example was not to go through
the 7 stages of sign-off, but rather TOGETHER build a service as one would should deployment to a public cloud be considered.
I’ve done this – worked very hard to integrate activities with the Dev team while leading the security team and ensuring that
we got more engaged. Took years. It was hard. It was nice shades of red.
However, the notion that because you can’t get from here to there instantly means we shouldn’t try to make things better is
repugnant to me.
This was one idea. YMMV.
If you want to repair the damage and overcome mistrust, how about use a game to shift the social norms towards playfulness and exploration? Here’s one such game:
http://www.microsoft.com/security/sdl/adopt/eop.aspx