Meet us at RSAC 2024, May 6-9 Let’s Meet

×
×

Seemplicity secures a total of $32M to bring the future of work to security teams!

Seemplicity
Read More

Cracking the Code With Communication: The Catalyst for DevSecOps Success
Jessica Amado, September 3rd, 2023

Modern software development is about teams working together – think “DevOps” – and moving fast. To prevent bottlenecks, streamline the development cycle and improve efficiency, organizations are “shifting left” to include QA, performance and security tests into the development process. The move means tests are performed earlier in the CI/CD workflow, with security continuously built in throughout the software development lifecycle (SDLC). In turn, there is greater engagement between software development, security and operations teams (hence the term “DevSecOps”).

It is, therefore, unsurprising that in the recent SANS 2023 DevSecOps Survey, respondents ranked communication as the second most important factor to DevSecOps success.

Yet, despite its significance, DevSecOps communication tends to be disorderly and messy. The conflicting priorities of DevOps and security teams create friction, limiting their desire to collaborate and, in turn, communicate; where the former concentrates on speed and efficiency, the latter prioritizes safety practices. Additionally, organizational silos (ranked as one of the top three challenges to DevSecOps success in the SANS Survey for the last three years) and differing workflows and tools present a logistical nightmare that prevents seamless communication. This in itself is a barrier to effective communication, but also contributes to the tension, which further damages cross-functional communication – a classic catch-22 situation.

In short, the teams don’t think the same way or speak the same language. And, without effective communication to break down the silos, DevSecOps success is limited.

 

The consequences of poor communication

Poor communication hinders the efficiency of DevSecOps practices and slows down the SDLC. Without a collaborative workflow in place, DevOps teams get overwhelmed with security findings and open tickets that they need to prioritize and organize, while the security team is constantly on the chase to understand what, if anything, is being done about said findings. The administrative burden on all teams not only adds to the animosity they feel toward each other, but is a waste of resources and significantly reduces productivity. According to a Forbes Advisor analysis, 49% of respondents reported that ineffective communication impacted productivity.

 

 

In addition to the administrative burden of prioritizing and allocating tickets, when “fixers” are left with an unmanageable amount of findings, the remediation process suffers and this can result in serious security issues later on in the development process. Small discoveries can snowball into major concerns if they are not addressed in a timely manner. The now much larger issue is a greater remediation challenge than if it were handled when first discovered, demanding considerable resources and delaying production output.

In many cases, however, findings don’t get addressed at all. Time constraints and a continuous influx of security findings make it near impossible for the DevOps team to remediate every vulnerability, meaning vulnerable code gets pushed out to production. Not only could this be a costly compliance breach, but the organization’s reputation is at risk should a customer suffer as a result of the vulnerabilities.

 

What can be done?

To put the “shifting left” mindset into practice effectively, communication between development, security and operations teams must be improved. Here are three steps that you can take now:

 

  • Embed a security mindset within the DevOps team

When DevOps personnel are equipped with greater cybersecurity knowledge, often through training and awareness programs, a culture of security becomes embedded within the team. Additionally, having a security champion on the DevOps team further helps to promote a security mindset and culture. Sharing the responsibility of security with the DevOps team fosters greater alignment and a more collaborative relationship. With a willingness to work together, naturally communication between the teams will improve.

  • Develop shared policies and data

Shared policies and data foster an environment of greater transparency and help build a common view. With teams aligned and on the same page, it is easier to communicate and set realistic expectations surrounding security. Moreover, when the DevOps team is able to meet security expectations, communication is further improved as there is less friction.

  • Eliminate administrative complexities

Implement tools that offer better visibility and context so remediation can occur quickly. Seemplicity’s Remediation Operations platform aggregates and deduplicates findings across a number of siloed solutions to offer complete visibility of security vulnerabilities while reducing the number of open tickets, and routes remediation requests to the relevant fixers. With the administrative burden out of the way, the security team maximizes engagement and communications with the DevOps team and enhances remediation efficiency.

Learn how Seemplicity’s RemOps platform enhances team collaboration and improves the remediation process.

Read More From Our Blog

Fixer-Upper Wisdom: Nailing Down CVSS Vector Strings, EPSS and CISA-KEV

Read Now

How Digital Transformation Impacts Vulnerability Management Programs… and the Solution

Read Now

Getting Ready for the OpenSSL Critical Vulnerability

Read Now