Snyk Blog

5 ways to improve security during digital transformation

Written by:
Erin Cullen
wordpress-sync/hero-research

April 10, 2023

0 mins read

Digital transformation initiatives have pushed software development to the next level. Today's consumers demand an optimum customer experience and expect modern apps to live up to high expectations. So, the average developer in 2023 must keep up with faster delivery, more eye-catching features, and better functionality. 

This unprecedented growth in the software development industry has led to a massive disparity between development and security teams. While the introduction of DevSecOps helped these two teams start collaborating, the problem remains.

Why? Because DevSecOps mostly focused on embedding security into DevOps. It was all about how development teams should implement security. But it didn't train or equip security teams to work with the complexity of modern-day development environments.

Security and development teams are still at odds

The bottom line: security and development teams still have different priorities, cultures, and practices. Digital transformation only continues to push them further apart. Many security professionals lack the resources to learn how a modern-day development process works, making it tricky to collaborate with developers. Here's how this disparity continues to play out as digital transformation and security continue to collide: 

  • Developers receive pressure to go faster, while security teams implore them to slow down so they can integrate traditional security solutions into the SDLC.

  • Security teams often need more personnel and resources, while development teams continue to grow in size as the demand for digital transformation grows. 

  • Current development workflows require agile security tools to handle large projects and work in a complex environment. Yet many security teams still use traditional security solutions designed for large, monolithic waterfall apps with late stage security assessments.

  • Many developers have had access to security education and awareness for a while, thanks to DevSecOps. But, security still needs education on modern development processes, systems, components, workflows, goals, and needs.

All of these factors lead to frustration for both teams. On one end, security teams wonder why the developers won't follow instructions. On the other, developers find it difficult — if not impossible — to meet the security team’s demands.

Janet Heins, CISSP award-winning security expert, global IT leader, and advisor at iHeartMedia summarized the developer's experience with security: "I hand over my code to someone to tell me what security flaws I have, then I go onto something else, and two days later they come back, and I'm not even in that code anymore, and they list the flaws that I need to go find, fix, and resubmit — it's just super disruptive."  

Richard Bird, Chief Security Officer at Traceable, has observed this ongoing tension between security and development: "No company I know of is performing at a world-class level in this space. I believe many companies are doing an okay job of balancing the challenges and tensions between security and development teams. Still, even the higher-performing DevSecOps organizations struggle tremendously with the friction caused by how long it takes security resources to address remediation. Most importantly, being just okay isn't remotely good enough to defend against, let alone win, against the bad guys."

In this post, we'll take a look at 5 things you can do to reduce that gap. For a deeper dive, check out our longer playbook: Why modern security teams need a transformation (and how they can do it).

How to bridge the security gap during digital transformation

We need to go beyond implementing DevSecOps on the developers' end. It’s time for security teams to bridge their side of the gap too. Here are a few actionable steps for them to foster better collaboration with development: 

1. Increase Awareness

Education needs to happen on both sides of the equation. DevSecOps has typically focused on educating developers on security best practices. Security needs to put in just as much work. Security professionals should take the time to understand development priorities, processes, systems, workflows, and goals, ultimately aiming to become trusted partners.

2. Select the Right Tools

Security solutions must be developer-friendly: easy to learn, intuitive to use, and seamlessly integrated into familiar workflows. Developers have to balance several priorities at once; security is often one of the last things on their minds. So, security teams need to find tools that developers can use with minimal effort outside their daily processes. 

3. Ask the Right Questions

Picking the proper security tools is one thing; putting them into your organization's SDLCs with the right security strategy is another. It's essential for security teams to ask the right questions as they select and integrate tools into the developers' workflows. A few examples of good questions to start with:

  • What are the best ways to seamlessly integrate our solutions into the development team's workflows without impeding their cadence?

  • How can our solutions deliver the most relevant, problem-solving, actionable results for developers?

4. Initiate Effective Internal Practices

Security teams should also establish and define security and developer roles, then monitor with designated metrics. Define who owns what, who's accountable for each element of the security process, and, generally, what security-development success looks like. Many teams benefit from using scorecards to track these metrics. 

5. Celebrate Success

When someone on the development team does something significant for the development team's security process, celebrate them! It's a great way to spread awareness and encourage other team members to contribute to security initiatives. 

A mindset shift for security teams

With today's threat landscape, it's no longer optional for organizations to break down these barriers between development and security teams. And let's be honest — neither team wants to deal with this tension anymore. Fortunately, there is a way forward from here. It’s all about creating a true culture shift of roles, responsibilities, and collaboration amongst developers, DevOps/platform, and security alike. This mindset shift gets everyone on the same page, enabling security teams to work alongside modern software development — now and for years to come.

Find out more about transforming security teams by downloading our playbook, Why modern security teams need a transformation (and how they can do it).

Posted in:Application Security, DevSecOps
wordpress-sync/hero-research

CISOs Guide to Cultivating Developer Security

Want your development teams to start adopting secure development practices? Download our guide to discover actionable playbooks on improving developer adoption of security tools and how CISOs are implementing these today.

See the guide
Patch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo Segment

Snyk is a developer security platform. Integrating directly into development tools, workflows, and automation pipelines, Snyk makes it easy for teams to find, prioritize, and fix security vulnerabilities in code, dependencies, containers, and infrastructure as code. Supported by industry-leading application and security intelligence, Snyk puts security expertise in any developer’s toolkit.

Start freeBook a live demo

Product

What is Snyk?Snyk Code (SAST)Snyk Open Source (SCA)Snyk ContainerSnyk Infrastructure as CodeSnyk AppRisk (ASPM)Developer Security PlatformApplication securitySoftware supply chain securitySecure AI-generated code DeepCode AIPricingDeployment optionsIntegrationsIDE pluginsGit SecurityCI/CD pipelines securitySnyk CLISnyk LearnSnyk for JavaScript

Resources

DocumentationSnyk API DocsAPI statusDisclosed vulnerabilitiesSupport portal & FAQ’sBlogSecurity fundamentalsResources for security leadersResources for ethical hackersVulnerability DatabaseSnyk OSS AdvisorSnyk Top 10VideosCustomer resources

Company

AboutCustomersCareersEventsSnyk for governmentPress kitSecurity & trustLegal termsPrivacyFor California residents: Do not sell my personal informationWebsite Terms of Use

Connect

Book a live demoContact usSupportReport a new vuln

Security

Application SecurityContainer SecuritySupply Chain SecurityJavaScript SecurityOpen Source SecurityAWS SecuritySecure SDLCSecurity postureSecure codingEthical HackingAI in cybersecurityCode CheckerPythonEnterprise CybersecurityJavaScriptSnyk With GitHubSnyk vs VeracodeSnyk vs Checkmarx

© 2024 Snyk Limited
Registered in England and Wales

logo-devseccon