It’s impossible to ignore security in the tech industry. LinkedIn, Google Ads, and now even Instagram are all touting their own security tools, methodologies, and consultancy services.
Why then, with there being such a buzz around security, is it a practice so difficult to entrench in a developer’s head? A consultancy or vendor might have you believe that you need to fork over some cash (i.e. buy their tool, service, etc.) in order to get developers and security aligned.
However, the solution might be something you can already achieve within your organization -- without adding any additional tools to your stack.
Culture is Everything
DevSecOps is big, and it’s here to stay. You might think that it’s as simple as Dev + Sec + Ops, but it’s more than that.
With DevSecOps, the ‘Sec’ should be thought of more as an all-permeating wrapper rather than just another component. (Dev+Ops)Sec would be more accurate. Effective DevSecOps ingrains security at every stage of the pipeline, from build to deployment.
Potential solutions such as container-level security or GitOps or infrastructure-as-code are not a simple Band-Aid, they require a culture shift.
If you’ve already built a security-conscious technical team, and you know your pipelines and processes inside and out, then implementing DevSecOps simply shifts security left in the workflow.
Policies Over Standards
The concept of policies replacing security standards builds on the idea of culture shifts. Security standards are typically just a piece of documentation saved on Confluence or GSuite somewhere. They may get examined by a developer during a mandatory annual training session, or occasionally for reference, but they aren’t dynamic and are rarely top of mind.
Those responsible for enforcing such standards are normally compliance or security operations specialists, who are logically distanced from developers.
Aside from low adoption rates and disruptions to Agile workflows, security standards often lead to the ‘enforcer’ becoming the bad guy. This pushes even more of a wedge between dev and security, making security feel a bit like doing your taxes (and no one wants that).
If the expertise of the traditional ‘enforcer’ is shared with developers and dynamic, adaptable policies are adopted in place of rigid standards, then security simply becomes part of the workflow.
Zero-trust networking is a great example of this. Zero-trust networking is probably the best way to secure your infrastructure, and it relies on expertly defined and managed policies being present through each of its 10 principles.
Communication is Key
It’s common knowledge that communication is important in any successful relationship.
Communication between development and security teams should be free-flowing, transparent, and where possible, automated. Organizations with a successful DevSecOps culture take steps to improve collaboration and transparency such as only allowing communication via channel or group message.
Shared Lessons Learned From Mistakes
Google recently published some top lessons learned since establishing their Customer Reliability Engineering team including the importance of knowing how to communicate about risk.
To mitigate negative outcomes, their CRE teams designed a risk matrix to constantly evaluate, communicate, and address current and foreseen risks. This sort of exercise wouldn’t be successful if carried out by developers in isolation. By bringing security into the mix, you can be assured that the risks are properly addressed.
Full System Observability
If you’re on a mission to align your security and development teams, culture and communication is just the beginning. It’s vital to provide them with the tools and information needed to do so effectively.
We’re talking about true, system observability, not just whiteboards. Observability gives teams the power to know what’s going on at any given time in a system.
Start With the Basics
Observability is the evolution of monitoring, so the latter needs to be in place for the former to be successful. Relevant metrics need to be collected, retained for an appropriate period, and stored in an accessible way. Metrics can also feed into invaluable tools like SIEM dashboards, a vital part of the security toolkit.
Build Something Great
Observability provides cross-cutting analysis of both system health and security. With a truly observable system, you can visualize data from anywhere -- including marketing sources, network load balancers, Kubernetes clusters & more.
This gives you the real power to understand what impact each aspect of your system has on the organization as a whole. Perhaps most powerful of all is the clarity and actionability of the data in a truly observable system.
Aligned Responses in Real-Time
The context and analysis that observability platforms provide in real-time give your teams the ability to act quickly and with precision. In the event of a security breach, both your dev and security teams can be alerted with real insights and context, allowing them to collaborate effectively. Should you have a system outage, your devs can work on bringing things online while the security folks advise and reinforce policies to protect you at your most vulnerable.
Is it Really That Easy?
Observability is a crucial component of modern-day security. The more event data you have, the more observable your system is. Cross analysis of metrics relative to devs and security create transparency and mutual understanding in times of crisis.
Unfortunately, following these simple steps won’t magically align dev and security teams overnight. These are just the foundations you need to get the ball rolling towards building a symbiotic relationship.
Ariel Assaraf is CEO of Coralogix. A veteran of the Israeli intelligence elite, he founded Coralogix to change how people analyze their operation, application, infrastructure, and security data -- one log at a time.