October 2, 2024 By Mark Stone 3 min read

It’s the 21st annual Cybersecurity Awareness Month, and we’re covering many different angles to help organizations manage their cybersecurity challenges. In this mini-series of articles, we’re focusing on specific job roles outside of cybersecurity and how their teams approach security.

For developers, cybersecurity has historically been a love-hate issue. The common school of thought is that coders are frustrated with having to tailor their work to fit within cybersecurity rules. However, many companies are embracing a security-first approach, and some developers are buying in.

Microsoft is one company that’s trying to change how software developers feel about security and is actively taking steps to train teams in concepts like threat intelligence and attacker motivation.

Siri Varma, tech lead and software development engineer with Microsoft Security, works with both developers and cybersecurity teams every day.

Here, Varma answers three key questions for us about the relationship between developers and cybersecurity:

What barriers exist between developers and cybersecurity?

First, they have different priorities. Developers often prioritize speed, functionality and time-to-market, while cybersecurity teams prioritize safety and risk mitigation. This can lead to friction when security policies impose measures that developers feel slow down their workflow.

For example, a security policy might mandate blocking all traffic to the internet by default to minimize exposure to potential attacks. This is a best practice to ensure that only necessary traffic is allowed, reducing the attack surface. However, developers may push back on this, wanting to delay this strict control because the effort required to identify and allow legitimate traffic can be time-consuming.

Next, there’s the knowledge gap; coders may lack the necessary understanding of security practices, and cybersecurity teams may not fully grasp the complexities of the development process.

For instance, a developer might configure an S3 bucket with public read access, believing it’s necessary for the app’s functionality. This oversight can expose all data in the bucket to anyone on the internet. On the other hand, cybersecurity teams might not fully appreciate the developer’s workflow and the constraints they face, which can lead to miscommunications about why certain security measures are challenging to implement.

Explore IBM DevOps solutions

What are common misunderstandings between the two groups?

The two most common misunderstandings are security as an afterthought and security as a checklist item.

Developers frequently consider security an afterthought. They may prioritize feature development and assume that security concerns can be addressed later in the process. This approach often leads to vulnerabilities being managed reactively.

For example, take the issue of public access to storage. Developers might initially configure storage with broad access permissions, intending to tighten them later. This approach can become complex, as it often requires analyzing network telemetry to determine which resources are accessing the storage, ensuring that necessary functionality remains intact while tightening access controls.

Plus, the view of security as merely a final checklist task rather than an integral part of the development culture needs to change. This shift can only be achieved by embedding security practices throughout the development process and creating a culture where security is a continuous and shared responsibility.

If the cybersecurity team can only implement one change, one request, for developers to improve their security posture, what would it be?

The most impactful request would be for developers to shift left on security — which integrates security earlier in the development process. This can be done through secure coding practices, automated security testing and regular code reviews with security in mind. By embedding security into the DevOps pipeline (DevSecOps), developers can catch and fix issues earlier, reducing both security risks and the cost of addressing vulnerabilities later in the process.

This integration is so crucial that the Open Worldwide Application Security Project (OWASP) Foundation has developed maturity models to guide organizations at various stages of DevSecOps implementation.

As the relationship between developers and cybersecurity teams continues to evolve, collaboration and sharing responsibility are more crucial than ever. By embedding security into the development process from the start, organizations can build stronger defenses against emerging threats as they foster a culture where security fits naturally into development.

 

More from Risk Management

How TikTok is reframing cybersecurity efforts

4 min read - You might think of TikTok as the place to go to find out new recipes and laugh at silly videos. And as a cybersecurity professional, TikTok’s potential data security issues are also likely to come to mind. However, in recent years, TikTok has worked to promote cybersecurity through its channels and programs. To highlight its efforts, TikTok celebrated Cybersecurity Month by promoting its cybersecurity focus and sharing cybersecurity TikTok creators.Global Bug Bounty program with HackerOneDuring Cybersecurity Month, the social media…

Roundup: The top ransomware stories of 2024

2 min read - The year 2024 saw a marked increase in the competence, aggression and unpredictability of ransomware attackers. Nearly all the key numbers are up — more ransomware gangs, bigger targets and higher payouts. Malicious ransomware groups also focus on critical infrastructure and supply chains, raising the stakes for victims and increasing the motivation to cooperate.Here are the biggest ransomware stories of 2024.Ransomware payments reach record highRansomware payments surged to record highs in 2024. In the first half of the year, victims…

83% of organizations reported insider attacks in 2024

4 min read - According to Cybersecurity Insiders' recent 2024 Insider Threat Report, 83% of organizations reported at least one insider attack in the last year. Even more surprising than this statistic is that organizations that experienced 11-20 insider attacks saw an increase of five times the amount of attacks they did in 2023 — moving from just 4% to 21% in the last 12 months.With insider threats on the rise, it’s critical for businesses to recognize the real dangers that originate from inside…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today