In Modern AppSec, DevSecOps Demands Cultural Change
This is the final of a six-part blog series that highlights findings from a new Mend white paper, Five Principles of Modern Application Security Programs.
When thinking of adjectives to describe cyberattackers, it’s doubtful that many people would choose to call them innovative – a term we’re more likely to ascribe to things we enjoy. But the reality is that adversaries are innovative, constantly finding new ways to launch attacks that result in greater rewards for less effort.
Yet many organizations continue trying to defend against attacks using status-quo security solutions maintained by IT and security departments that haven’t innovated. In those organizations, teams are siloed, slowing development times, reducing software quality, and increasing the risk of a major security event.
In fact, 29 percent of CEOs and chief information security officers (CISOs), along with 40 percent of chief security officers (CSOs), say their organizations are unprepared to deal with impacts from the ever-evolving threat landscape, pointing to factors such as increased supply chain complexity, the fast pace of digital innovation, and lack of executive support.
Modern application programs need a security culture that promotes collaboration between these teams. The organizational structure for developers and security teams needs to reflect that they are working together to accomplish a well-defined set of goals, and they all need to be on the same page about what’s needed.
This is especially important given the multitudinous challenges faced by IT and security teams, including dramatically increased speed and complexity in software supply chains. Today’s software development pipelines are more complicated and automated, relying more heavily on third parties within the software development lifecycle (SDLC), meaning there are more systems and infrastructure to safeguard. Likewise, these changes have created a much larger and constantly changing attack surface for which application security (AppSec) teams are responsible.
The only way for organizations to overcome these challenges and ensure application resilience is to create a robust DevSecOps environment. In this collaborative environment, teams can develop the best way to balance resources and ensure that critical security issues are addressed. Successful DevSecOps teams have a shared-responsibility mindset regarding security across the organization, and that mindset is backed by executive leadership. It’s an environment built on effective communication, with strong feedback loops and promoted by security champions from throughout the organization.
As organizations move away from siloed, ineffective IT and security departments, they’ll be able to achieve greater results in combating cyberattacks. One of the natural results will be development of and greater dependence upon cyber resilience.
Learn more about what IT and security teams can do to prevent application attacks by downloading a copy of the white paper today.
