Back to Feed

The Future of Secure Software Development: A Collaborative Journey

Trupti Shiralkar

-

April 2, 2024

Overview

In my 18-years long career in software security, I've had the privilege of collaborating with a diverse array of companies, ranging from nimble startups to established Fortune 500 giants. Whether establishing  product security practices from scratch in startups or fine-tuning product security functions in larger organizations to align with growth objectives and engineering velocity, I've gained valuable insights along the way.

Through these experiences, I've come to appreciate the critical importance of fostering proactive and seamless collaboration between engineering and product security teams. This synergy is not just advantageous; it's essential for ensuring the swift and secure delivery of software releases in today’s fast feature driven software development lifecycle.

In this blog, I aim to do more than just share my experiences—I want to engage and empower readers by offering practical advice on steering clear of common pitfalls in software security. Together, we'll explore strategies for achieving smoother collaboration between development and product security teams, ultimately paving the way for more efficient and effective software development processes.

Introduction

Every organization possesses one or more unique development workflows, shaped by the evolution of their engineering department, tools, and processes since the inception of their product journey. As organizations mature and embark on their compliance journey to market their product across different sectors, the significance of product security becomes paramount.

When making the initial security hire, it's crucial to ensure they grasp the intricacies of the product roadmap, engineering culture, and existing CI/CD tooling. This understanding empowers them to seamlessly integrate security measures throughout the software development life cycle. 

As the organization, product offerings and customer base grows, it is important for security functions to scale smoothly. Engineering orgs are under tremendous pressure to release shiny new features that generate revenue. If security doesn't match the speed of releases, then organizations may release insecure versions of software or slow down their overall releases. Both are detrimental to business. Let's take a look at the problems more closely. 

Problem

If security teams fail to closely consider any of the aforementioned aspects (product roadmap, engineering culture, dev workflows), security processes, tooling, and security engineers may inadvertently create friction, hindering developer velocity and impeding release cycles. Such friction can significantly tarnish the security team’s reputation and overall effectiveness. In cases of ineffective collaboration, security teams may be blamed for the following:

Tooling issues:

  • Outdated security tools that lack support for newer technology frameworks.
  • Time-consuming security scanning processes.
  • Incompatibility of security tools with development workflows, resulting in application breakages.
  • Excessive noise from security tools due to false positives.

Process-related problems:

  • Immature security assessment processes with unclear guidance for developers.
  • Security processes create bottlenecks that slow down releases and deployments.
  • Treating security as merely a compliance checkbox.

Communication challenges:

  • Dismissing security concerns in the absence of active exploits.
  • Perceptions of security engineers blocking releases being unfriendly or uncooperative.
  • Perceptions of security as overly complex, making prioritization difficult.

Strategies for smoother collaboration

Security professionals understand these development team concerns. However, to bridge the gap and build trust, let's explore these strategies

1. Communication at all layers  

Product security leaders must forge strong relationships with engineering, product leaders, and frontline teams like developers, SREs, and product managers. Security teams should be actively involved in all strategic and tactical planning sessions, especially when prioritizing new products or features.

Empower your development teams! Provide developers, SREs, and QA testers with regular, hands-on security training specific to the technologies they use. This fosters collaboration beyond just vulnerabilities and incidents. Training equips them with remediation knowledge that can be directly applied when fixing vulnerabilities, ultimately resulting in more secure products.

Call to action:

  • Product security leaders: Schedule joint planning sessions with engineering, product, and frontline teams to integrate security considerations from the start.
  • Engineering leaders: Champion security training for your developers, SREs, and QA testers. Invest in programs that align with your technology stack.

2. Stakeholder buy-in

Including security from the beginning is critical to avoid delays and ensure a secure product launch. To achieve this, security leaders must secure executive buy-in from all stakeholder leadership teams. This collaboration empowers us to implement the right checks and balances, guaranteeing that security and privacy are prioritized throughout the entire product development lifecycle – from planning to launch.

Call to action:

Security leaders must develop a compelling presentation that clearly outlines the benefits of early security involvement. Focus on cost savings, faster time to market, and reduced risk of breaches. Use real-world examples or data to showcase the impact. Schedule meetings with key executives and leadership teams to secure their buy-in. In fact the VP R&D and CISO should illustrate a good rapport and lead by examples for their teams.

3. Appsec Tooling & developer workflow integration

Modern application security tools are built for today's fast-paced development workflows. Seamless integration means developers can screen security posture without disrupting their flow. This allows for early detection and fixing of vulnerabilities before features reach production. Security scans become transparent, empowering developers to write secure code from the start. 

Call to action:

  • Security Engineers must evaluate and invest in modern application security tools that provides clear visibility into the vulnerabilities that truly pose a risk to their organization 
  • Developers should embrace the prioritization set by modern appsec tooling and focus on faster remediation. A true collaboration between Appsec and developers can assist them write more secure code, reducing rework and ensuring faster deployments.

4. Always remember & cherish the human connection

“Dev and Appsec conversations are emotional conversations” ~ Shahar Man, CEO & Founder, Backslash

Whether the conversations are related to vulnerability remediation or risk prioritization these are emotional interactions between  developers and Appsec engineers. 

Developers work hard to build and push new features to production under tight deadlines set by product management. They take pride in their creativity and in the product that they have built. Appsec engineers take pride in protecting the software by identifying security defects, communicating them with engineering to drive fast remediation to protect the organization and customer trust.  If security engineers do not form a strong bond with developers and do not show appreciation for their innovation and creativity, discussions around “security defects” can be interpreted as criticism. By working through these emotions with empathy and open communication, Dev and Appsec teams can build a strong bond. This human connection fosters trust, making collaboration more productive towards achieving  a common goal of protecting software, customer trust, organization’s reputation and revenue

Call to action:

  • Get to know your developers and engineering leaders at the personal level. One on one conversations over virtual coffee, team level lunch & learn, running security champion’s program, participating in engineering events (hackathons) are some of the ways to achieve personal connections.
  • During security conversations, create a safe place for your developers so that  they are more likely to express their thoughts, concerns, and ideas freely. This will help create a more honest conversation on how to go about fixing vulnerabilities at scale and or how to proactively insert guardrails without compromising developer velocity.  
  • Be empathetic and extend on-call support to developers to assist them in navigating technical and or organizational challenges. Prioritize conflict resolution over anything with the engineering leaders.

Conclusion

Software fuels human progress, but with this power comes the responsibility to secure it. The good news? You're not alone in this fight. By implementing these practical strategies, you can forge a powerful alliance between security and development teams. This collaboration is the secret weapon for achieving faster, more secure releases. Together, we can build a more secure future.

About the Author

Trupti has 18 years of diverse experience, leading security and privacy initiatives in Fortune 500 companies and dynamic startups. She enjoys researching emerging trends in security and their impact on software security and privacy . Her journey is marked by cultivating high-performing teams, pioneering product security and privacy engineering strategies, and instilling a progressive mindset. A seasoned public speaker and product security leader, she passionately imparts her insights to drive positive security impacts and mitigate organizational risks. Notably, she holds a patent for a secure and anonymous electronic polling solution.