Application Security

Promoting a collaborative environment between Security and Development

Is it possible to create a collaborative environment between security and development? Consider this scenario:

A senior developer with 15 years of experience develops an application according to client specifications. He delivers the software and says everything is running perfectly. 

Then it is forwarded to the security team, and the analyst there verifies and says that one third of this code is wrong and needs to be redone. Imagine the frustration and discomfort of this developer, who argues but without positive feedback. Can you see any kind of collaboration between security and development in this scene, or just two people measuring their strengths?

We don’t need to go into narratives here to find out who is right. The security and development teams have distinct but complementary goals, and working together can result in more effective and secure solutions.

Creating a Culture that Breathes Security

To promote effective collaboration, it is important to create a culture of security, trust and mutual respect. Teams must understand the needs and challenges of the other group and work together to achieve common goals. Communication should be clear and open, allowing all parties to share ideas, solutions, and concerns.

Additionally, it is important to provide training and resources so that both teams can improve their skills and better understand best practices in security and development. This also includes the use of automation tools, such as security checks during the compilation process and the use of secure coding practices to ensure code security.

And with the support of a Security Champion, teams gain a kind of mediator between the two worlds, who encourages and helps create this new atmosphere, guiding a culture change where security will be organically inserted.

Security with United Teams

In a non-collaborative environment, the security team acts reactively and intervenes only at the end of the software lifecycle, after development has been completed. This usually leads to delays and rework, as well as increased costs.

In 2017, the cyberattack on Equifax exposed confidential information from more than 140 million customers. It was found that the security breach occurred due to a vulnerability in third-party software that Equifax used but was not fixed in time. This could have been avoided if collaborative work had been present from the beginning of development. In this case, if Equifax’s security team had adopted the SBOM (Software Bill of Materials), they would have security information on known vulnerabilities in hand, would direct developers to make patches available for the listed component versions, then the attack couldn’t have happened.

A collaborative approach allows developers to consider security from the beginning of the development process, incorporating security measures into software requirements and design, the so-called DevSecOps. Additionally, security professionals can provide valuable feedback on possible vulnerabilities during testing and deployment phases.

Now let’s think about this scene… the security analyst meets with the developer and says, “Let’s analyze together… this part of the code can be implemented like this… because you make your code less vulnerable. For example, on line 15 of the code, you used Math.random, which generates a random password for the client, and this is insecure because it can produce random numbers that are not secure for use as passwords. The crypto library offers more secure methods for generating random passwords, such as crypto.randomBytes.” The developer will be much more confident, happy and will even learn from the analyst.

OWASP SAMM as a Model for Security Practices

OWASP SAMM is a framework that provides a structured approach to incorporating security practices into all phases of the software development lifecycle, from conception to deployment. It divides the software security journey into two dimensions: maturity and practices. Maturity reflects the organization’s maturity level in incorporating security practices into the software development process, and practices are categories of software security-related activities that organizations should implement. And the Security Champion will help disseminate the AppSec culture within the company using this framework.

Using the Conviso platform as a means of collaboration

Many partner companies use the Conviso Platform to improve the security of their applications by integrating it into their development pipeline, using its automated scanning capabilities to identify potential security issues early on and providing a centralized platform for collaboration between security and development teams.The Conviso Platform helps to proactively integrate security into the entire development process, allowing the security team to perform threat modeling, review source code, and apply security tests more efficiently and quickly. As a result, companies can not only improve the security of their applications, but also streamline their development process, addressing the risk of security incidents and minimizing the cost and effort required to correct them. (Figure 1).

Figure 1: Description of vulnerability identified through SAST (Static Application Security Testing)

In addition, together with the Conviso Platform, the company can also use the OWASP SAMM (Software Assurance Maturity Model) as a reference to create its security policies and define guidelines for the security and development teams, ensuring collaboration and communication between the teams throughout the development process. 

Creating a collaborative environment between Security and Development

A collaborative approach between security and development can result in more effective and secure solutions, as well as a stronger and more integrated organizational culture. By working together, teams can help secure systems and applications, protect user privacy, and maintain service availability, thereby ensuring customer and user trust. The benefits of this collaborative approach are clear: reduced risk of security incidents, increased efficiency and productivity, and increased customer confidence and satisfaction.

Collaboration is the key to effective culture change.

Nova call to action
Related posts
Application Security

Finding classes for exploiting Unsafe Reflection / Unchecked Class Instantiation vulnerabilities in Java with Joern

During a pentest engagement we found a Java application vulnerable to unsafe reflection [1]. This…
Read more
Application Security

Mitigating Vulnerabilities: Elevating Security Proficiency in Software Development

In the ever-evolving digital landscape, the significance of software security cannot be overstated.
Read more
Application Security

The Importance of Supply Chain to Application Security

When we think about software development, we usually think about complex technical concepts…
Read more

Deixe um comentário