As part of our “DevSecOps Best Practices” post series, we are expanding each of the seven recommendations we provided to teams wanting to adopt DevSecOps methodologies.
In this particular article, we want to bring attention to the lack of coordination we often see between developers and security analysts.
While we always advocate that developers should write secure code from the beginning, it is nevertheless a good practice to have infosec professionals review the security stance of the application as a safeguard before going into production. As this security audit happens, we find that very often the two teams –developers and security auditors– struggle to communicate effectively.
The root cause of this miscommunication is that security issues are treated separately from other software quality issues and this manifests across several aspects:
- Different bug repositories: auditors typically post their findings in a separate task management system, or even worse, as a static report. Developers do not want to check multiple task/bug repositories. This manual synchronization becomes a tedious operation that adds friction to a DevOps environment.
- Unclear ownership: as a consequence of the previous point, security issues are not assigned to clear owners in the development team. This results in longer time to market while bugs are reentered.
- Conflicting priorities: Developers naturally tend to resolve functionality bugs first, and only after, focus on security issues. As a result, many security issues do not get resolved and insecure code is pushed to production.
We believe that improving the communication between developers and security specialists reaps great benefits. Application Security can’t happen without developers, and we recommend seeking tools that adapt to your workflow and leverage the tools that your developers already use.
Your Application Security Testing tool should integrate with your bug tracker
In short, our actionable recommendation to improve team communication is to seek application security solutions that integrate with your own preferred task management and bug tracking tools (Jira, Asana, etc.)
The idea is to have the security analysis tool automatically create bug tasks for you. Ideally, the inserted task has all the required information associated to it, such as the nature & severity of the bug (i.e. “SQL Injection, high priority”), the location of the bug in your codebase (file and line), and the trigger action that enables an exploit.
Furthermore, the AST should be able to maintain the task, including updating the status to “completed” when the issue has been successfully resolved.
These are the key benefits that arise from following this approach within a DevSecOps context:
- Fix security issues during development, better than later.
- Treat security issues as code defects, no different from functionality bugs.
- Educate developers on secure coding practices, as opposed to patch their work.
- Accelerate your development by improving communication between teams.
To review the rest of our 7 recommended Best Practices to adopt DevSecOps, check out this post and/or contact the Hdiv sales team. We will be happy to assist.