Avoid Unnecessary Pain with a Security Champion

shutterstock 1018192246

Long gone are the days when developers spent months building a single app before releasing it into production. Thanks to agile methodologies, developers can now write – and rewrite – code multiple times per day at record speed.

That’s a critical advantage given the business world’s shrinking window for time-to-market. But while agile practices such as DevOps can help satisfy ever-evolving consumer demands, they can also make it difficult for developers to embrace stringent security controls, especially if they introduce unplanned and unscheduled fixes into the development cycle.

The impact of a breach

At the same time, organizations can’t afford to ignore mounting security risks – and their repercussions. According to an IDG/Veracode Application Security survey, nine in ten respondents report their organizations have experienced negative consequences as a result of security vulnerabilities or breaches.

Top impacts include application downtime (49%), application performance issues (38%), and increased operational costs associated with remediation (42%). And just one high-profile data breach as a result of an application vulnerability can create unfavorable newspaper headlines, causing financial and reputational damage. No wonder the majority of respondents (84%) agree that their companies are concerned about the potential data security risk posed by third-party applications.

A champion for change

Clearly, if software development is changing, so too must the way we regard security. Enter a security champion. The role of a security champion is to serve as the voice of the developer while satisfying the needs of the business from a security perspective. That’s challenging given the divide that’s long existed between security and development teams.

Security teams typically have a limited understanding of how developers work and often fail to recognize what they need to do their job properly. Developers, on the other hand, often underestimate how their lines of code contribute to the overall security health of the organization.

Fortunately, a security champion can bridge this gap by better translating, communicating, and effectively driving adoption of an application security program for faster delivery of secure code.

Getting to know a security champion

What does a security champion look like? Here are some defining characteristics:

A developer by trade: A security champion must have the skills of a white hat hacker, but clearly understand the importance of security practices and the needs of the larger business.

Passionate about security:  Security champions aren’t ordained; they’re self-appointed advocates for greater security. Because of this, they have a naturally keen interest in integrating security into development processes.

Empathetic to development processes: A security champion must not only know how to code but also how to address a development team’s pains and priorities. This includes having a deep understanding of the benefits and goals of the DevOps model.

Despite these important traits, most developers receive little or no training on secure coding, either in school or on the job. For this reason, an organization should always arrange for the security champion to receive secure code training.

The security champion effect

By assigning a security champion to each Scrum team, an organization can ensure that security measures are embedded in every step of the software development process.

For developers, the benefits are obvious: easier identification of security holes, faster time-to-market, and higher-quality secure code. Better yet, because security and development teams are working together, vulnerabilities can be detected earlier on, eliminating the need for security teams to send unsecure code back over the wall for the developer to fix, sometimes long after he or she has even written the code. The result: fewer costly delays and cross-departmental conflicts.

But a security champion can also help enhance roles within a company. As security shifts into the earlier phases of the development lifecycle, and security skills gaps widen, development teams often struggle to scale at the same pace. Fortunately, a security champion can reduce the need for security teams to be everywhere, all the time, thereby avoiding security bottlenecks. Security champions can also change the day-to-day activities of chief security officers, shifting their responsibilities from finding and fixing security flaws to providing teams with technology tools and governance.

A cultural overhaul

Cultural transformation is another natural byproduct of a security champion. Consider, for example, Quality Assurance (QA). Once a separate and siloed process, QA activities are now fully integrated into software development. Thanks to the influence of security champions, the same shift is occurring in security, where testing is fast becoming a key component of application development.

Security champions are also helping to foster a greater sense of community among security and development teams. Nowadays, security is a shared responsibility; everyone plays a part in reducing security holes. As a result, employees, from C-level executives to entry-level developers, must work together to address malware attacks, share real-world perspectives on security vulnerabilities, and encourage greater ownership of security-related roles.

Combining speed and security

These days, organizations rely on a wide array of applications for everything from cross-departmental collaboration to cloud-based storage. But as enterprise applications multiply, so too do the security risks. Complicating matters is the fact that developers are now under unprecedented pressure to ship code as fast as possible – a situation that can lead to security holes and costly delays.

The good news is that organizations need not choose between speed and security. Rather, a security champion can help them take measures to find and remediate security vulnerabilities while addressing the needs of the business. The result: greater security, fewer delays, redefined roles, and a cultural transformation that lays the groundwork for long-term gains. 

Bridge the gap between security and development with a security champion.  Watch this  webinar to learn more.

Copyright © 2018 IDG Communications, Inc.