Better Connect With Agile Developers on Security

Posted: September 9, 2018 in Developer Security, Security
Tags: ,
0

Information security staff (the security geeks) typically take a confrontational attitude with the rest of the business. It’s easy for them to say that others don’t get ‘security’. But they should realize that information security professionals exist because of these ‘others’ who do not understand security. There’s a dire need of improving the communication between InfoSec professionals and these ‘others’. Let’s take the example of connecting with agile developers and see how the communication can be improved.

Agile development is now mainstream with some exceptions. As usual, security folks are always a step behind in adopting the latest trends in technology. This is fine if security professionals can be fast followers. They need to adjust their mindset to help agile developer become more agile. I got some thoughts for InfoSec professionals.

  • First of all, accept the fact that processes and certain tools used during water fall days do not work in the agile world. So, start questioning the effectiveness of your tools and processes.
  • Agile is all about speed. Security professionals should think about speeding up their own processes as well. Use automation wherever possible.
  • Adopt AI technologies to improve the quality of security findings and help avoid developers wasting time on less important items.
  • If you want to get some work done by the developers, you got to speak in their language. Developers are happy to fix bugs but not vulnerabilities because they’d feel that it’s the job of security folks to deal with vulnerabilities. Talk to them about security bugs instead of security vulnerabilities.
  • Security requirements should be made part of the development work. Agile developers plan their work around user stories assigned to them. Security requirements should be nothing but another user story for them to work upon.
  • Security folks need to think a lot like developers. They should think about converting security functionalities into APIs and code libraries to make the life of developers easy. For example, instead of advising what the authentication type should be, it can be made available as a library. Security APIs would minimize the code level changes every time when there is a change in the security requirement.

Leave a comment