By Ayman Sayed
Despite the advances in technology, there’s still a very human element to whether a company embraces security practices. Most organizational cultures are driven by the priorities and values of their executives, whether or not that is their intent. In software-driven companies – which is nearly every company these days – those values trickle down to the development team.
It’s no wonder then that a Freeform Dynamics survey (commissioned by CA Technologies and available here and infographic here) found that an organization’s culture has a profound influence on its ability to integrate security practices from the start as part of the software development lifecycle. This practice – commonly known as DevSecOps – is critical to business success in the digital economy. That survey also found that less than a quarter of respondents believed that senior management truly understands the importance of not sacrificing security for time-to-market success.
When coupled with the growing competitiveness of the software market, it’s easy to see why developers feel the need to write code quickly rather than safely. So how do you shift a culture to give developers the room they need to make integrated security a reality?
Start from the top
It’s important to start with the decision makers when implementing sweeping cultural changes. Executives need to see why security is important so that they can alleviate other roadblocks – like time pressure – while the team adjusts to a DevSecOps process.
Getting executive buy-in is a matter of making a business case for security. The organizations that have been the most successful at DevSecOps are the ones that see security as an enabler of new business opportunities. In fact, the top third of companies in terms of DevSecOps adoption are more than two times more likely to think that security can be as much a competitive differentiator as innovative features.
Laying out this case makes it possible to move on to the next step, which is to get buy-in from across the organization.
Take the pressure off a single team
Long gone are the days when developer teams can get away with thinking about security after a product has undergone development. It can no longer fall to the “security test” team to find and fix every potential vulnerability and expect products to deploy quickly and safely. DevOps now sets expectations of greater flexibility and speed, and security cannot be the choke point.
Security needs to become ingrained in the development process so developers can fix flaws in real time along with all the other feedback coming in. Each developer needs to learn to take responsibility for the security of the code they produce.
To make this work, there needs to be a “Security Champion” – someone who serves as the security conscience for the team, ensuring that security is considered and integrated throughout the development process, and not as an afterthought.
Give developers the tools they need
Executive and organizational buy-in communicate to development teams that security is now a priority. Developers are a capable and driven bunch who take pride in the quality of their work, which includes security. Even when they don’t know everything, they will rise to the challenge presented to them, especially if organizations hand them the tools they need to succeed.
The single most effective action an organization can take is to establish a training program which teaches developers what they need to know about software security. This way developers can start out on the right path to write more secure code and find the resources they need for continuous improvement.
Once developers know what they should be striving for in terms of software security, continuous testing is the lynchpin of successful DevSecOps. It gives developers the opportunity to see how their code is matching up to their security goals in close to real time.
Security integration throughout an entire business allows companies to become more efficient across the board, including development operations and quality control processes. Security must be a priority for everyone involved, otherwise it gets compromised for faster time to market and implementing other priorities to serve a fast-paced business plan. Although security might take a larger upfront investment, the return can be significant in terms of customer trust and sales.
About Ayman Sayed
Ayman Sayed is president and chief product officer at CA Technologies, responsible for the strategy and development of the company's full portfolio of Enterprise products and solutions. His mandate is to focus on building a differentiated product portfolio meant to help CA customers solve their most difficult business problems in the application economy.