A serious disconnection between cybersecurity teams and software developers is seemingly one of the biggest contributors to security flaws in organizational systems.
On one hand, developers have their eyes set on feature-delivery and meeting deadlines. The application development process focuses not on security but on functionality. Due to their backgrounds and temporal constraints, they do not put much effort into ensuring that the software they develop meets security standards.
Notably, a majority of programmers do not write all their code. They copy portions from existing open-source code and at times do not take time to check for security flaws.
On the other hand, cybersecurity teams focus on testing for known vulnerabilities in the newly developed software. They may not always have sufficient expertise in application vulnerability and effective tools for testing.
Moreover, security accreditations and certifications in many cases do not assess apps and the development cycle is not a part of security audits and procedures.
The result of this divide is a never-ending blame game when things go wrong as well as permanent damage in the relationship between the two teams. And consequently, poor application development is becoming one of the most prevalent cyber threats of all.
Understanding the disconnect between app development and security
Among the most significant reasons behind the poor development and security practices is the fact that more firms today are rushing in a bid to launch various online apps. They are building consumer-facing sites and purchasing SaaS products off the shelf as well as developing mobile apps without undertaking much research into security.
At the same time, the cybersecurity team is almost completely focused on network security. As a result, applications continue to pose a major challenge in cybersecurity as these are the greatest weak points.
Potential risks resulting from the divide
Malicious attackers are increasingly focusing their attacks on this layer for two major reasons. One has to do with the prevalence of the aforementioned do-it-yourself software solutions. These are often based on open-source content and could have vulnerabilities making them an easy target for hackers.
At the same time, the application layers often have direct access to valuable consumer information. For instance, a banking app requires your name and password to provide access to your account information and even allow for transactions. Being able to exploit such an app could potentially give hackers access to sensitive information or even account takeover.
How to bridge the divide
It is important to address the root cause of most cybersecurity threats, which has a lot to do with the disconnection between the two teams. Only by bringing the two teams together can there be any real progress in dealing with this persistent problem. Let’s see a number of ways how this can be done:
1. Finding a common ground
The only feasible solution for the problem is to find a way to establish common ground between the two teams. Doing this would make it possible to create a much better software development model. Rather than coming in at the end to implement a reactive solution, the cybersecurity team would work with developers from day one of an app development project.
Developers would have the input of the security team to write secure code from the onset. At the end of the project, there would consequently be fewer security flaws.
2. Getting past the blame game
Both teams would also benefit significantly from getting over the “them-and-us” mentality and putting an end to the blame game. For instance, the security team could benefit greatly from using the same tools that developers are using. Also, a more helpful approach would involve the development of security functionalities which have the needs of developers at their core.
3. Rebuilding trust
In order to reestablish trust between the two sides, each one needs to understand the priorities and constraints of the other. This way, they would be able to tailor their approaches to cater to the requirements of their counterparties in addition to their own.
Developers would need to acknowledge that security is a key function of any app or program, though this might not be clear to others. As such, they will recognize the importance of security measures as more than just bureaucracy.
4. Creating and enforcing secure coding practices
As mentioned at the onset, vulnerabilities often occur because security frameworks are missing from the development process and rarely examine apps. Implementing measures to test the code thoroughly during development would ensure early detection of potential flaws.
In order to accommodate this change, developers would need to stop viewing security checks as hold up in the development process.
5. Restoring communication
Right from the onset, the two teams should be clear on what they want to achieve and how to do it. What is the intended objective of the project? Is it simply to get a tick from the audit department? Or is it seeking to create secure program?
Laying out the objectives from the get-go and how the teams plan to achieve them is a great way to ensure that everyone is on the same page.
A step in the right direction
The wide rift that exists between cybersecurity and software development departments is bound to take its toll on an organization sooner or later. Failure to devote time and effort to patch things up between the two sides could potentially have devastating effects.
As such, it is imperative that a company takes steps to bridge the divide before it causes a downfall. Having both sides realize the importance of working together and the potential benefits it could yield is far from impossible. And it holds great potential to address one of the most prevalent cybersecurity threats that companies today face.
Implementing security in the development process will contribute significantly to a proactive security approach rather than a reactive one that seeks to minimize damage. With such an approach, companies may, in the long run, spend a lot less on preventing rather than fixing problems after they arise.
Having the two teams work hand-in-hand is a major step forward and a first of many in the right direction with regard to cybersecurity.