It’s the 21st annual Cybersecurity Awareness Month, and we’re covering many different angles to help organizations manage their cybersecurity challenges. In this mini-series of articles, we’re focusing on specific job roles outside of cybersecurity and how their teams approach security.

For developers, cybersecurity has historically been a love-hate issue. The common school of thought is that coders are frustrated with having to tailor their work to fit within cybersecurity rules. However, many companies are embracing a security-first approach, and some developers are buying in.

Microsoft is one company that’s trying to change how software developers feel about security and is actively taking steps to train teams in concepts like threat intelligence and attacker motivation.

Siri Varma, tech lead and software development engineer with Microsoft Security, works with both developers and cybersecurity teams every day.

Here, Varma answers three key questions for us about the relationship between developers and cybersecurity:

What barriers exist between developers and cybersecurity?

First, they have different priorities. Developers often prioritize speed, functionality and time-to-market, while cybersecurity teams prioritize safety and risk mitigation. This can lead to friction when security policies impose measures that developers feel slow down their workflow.

For example, a security policy might mandate blocking all traffic to the internet by default to minimize exposure to potential attacks. This is a best practice to ensure that only necessary traffic is allowed, reducing the attack surface. However, developers may push back on this, wanting to delay this strict control because the effort required to identify and allow legitimate traffic can be time-consuming.

Next, there’s the knowledge gap; coders may lack the necessary understanding of security practices, and cybersecurity teams may not fully grasp the complexities of the development process.

For instance, a developer might configure an S3 bucket with public read access, believing it’s necessary for the app’s functionality. This oversight can expose all data in the bucket to anyone on the internet. On the other hand, cybersecurity teams might not fully appreciate the developer’s workflow and the constraints they face, which can lead to miscommunications about why certain security measures are challenging to implement.

What are common misunderstandings between the two groups?

The two most common misunderstandings are security as an afterthought and security as a checklist item.

Developers frequently consider security an afterthought. They may prioritize feature development and assume that security concerns can be addressed later in the process. This approach often leads to vulnerabilities being managed reactively.

For example, take the issue of public access to storage. Developers might initially configure storage with broad access permissions, intending to tighten them later. This approach can become complex, as it often requires analyzing network telemetry to determine which resources are accessing the storage, ensuring that necessary functionality remains intact while tightening access controls.

Plus, the view of security as merely a final checklist task rather than an integral part of the development culture needs to change. This shift can only be achieved by embedding security practices throughout the development process and creating a culture where security is a continuous and shared responsibility.

If the cybersecurity team can only implement one change, one request, for developers to improve their security posture, what would it be?

The most impactful request would be for developers to shift left on security — which integrates security earlier in the development process. This can be done through secure coding practices, automated security testing and regular code reviews with security in mind. By embedding security into the DevOps pipeline (DevSecOps), developers can catch and fix issues earlier, reducing both security risks and the cost of addressing vulnerabilities later in the process.

This integration is so crucial that the Open Worldwide Application Security Project (OWASP) Foundation has developed maturity models to guide organizations at various stages of DevSecOps implementation.

As the relationship between developers and cybersecurity teams continues to evolve, collaboration and sharing responsibility are more crucial than ever. By embedding security into the development process from the start, organizations can build stronger defenses against emerging threats as they foster a culture where security fits naturally into development.