Evo Cyber Security #47 - Bridging the Gap: Fostering Developer & Security Team Collaboration
Sep 13, 2023
auto_awesome
Listen to experts Curtis Koenig, Feng Zhu, Jeevan Singh, and Mark Goodwin discuss fostering collaboration between developers and security teams, including building security champions and establishing strong partnerships. Discover strategies to bridge the gap, improve communication, and prioritize security risks.
Developers and security teams should work closely together, with the security team providing advice and support while still maintaining independence.
Establishing a strong security champion program is crucial, with the need for clear goals, management support, and continuous training of security champions.
Deep dives
Balancing Autonomy and Collaboration between Developers and Security Teams
The podcast episode discusses the importance of finding a balance between autonomy and collaboration when bridging the gap between developers and security teams. The speakers emphasize the need for security teams to be close to developers, understanding their goals and giving them good advice while still maintaining independence. They also stress the importance of reducing the distance between engineering and security, sharing the responsibility for security without overwhelming developers. The speakers highlight the benefits of having security reporting into the engineering organization and hiring engineers as security professionals to strengthen the collaboration and understanding between the teams.
Establishing a Robust Security Champion Program
The podcast explores the topic of establishing a strong security champion program. The speakers discuss the importance of rewarding and incentivizing security champions, ensuring that their role is recognized and valued within the organization. They emphasize the need for a well-defined goal and purpose for the program, such as reducing risk, increasing knowledge, or reducing operational work for the security engineering team. The speakers also highlight the significance of management support, aligning resources, and securing buy-in from upper levels of leadership. They suggest establishing a feedback loop to continuously train and retain security champions, ensuring their continuous growth and development.
Effective Information Flows and Integrating Security into Development Lifecycle
The podcast episode delves into the challenges of establishing effective information flows and integrating security into the development lifecycle. The speakers discuss the need for clear and actionable information for developers, reducing noise and false positives in security tooling and processes. They highlight the importance of training and guiding developers in threat modeling to ensure a common language and understanding between security and development teams. The speakers also stress the value of feedback loops, involving product owners and engineering managers in the security process, and continuously refining the information flow to meet engineering needs. They emphasize the importance of building a culture of security and providing incentives for developers to prioritize security vulnerabilities.
Sustaining Developer Motivation to Fix Security Vulnerabilities
The podcast episode addresses how to sustain developer motivation in fixing security vulnerabilities. The speakers emphasize the need for providing actionable information and prioritizing security issues that have real impact. They discuss the importance of creating a process that prevents developers from stopping security work, such as implementing gates or blockers to prevent critical vulnerabilities from being deployed. The speakers highlight the significance of frequent communication, feedback loops, and recognition for developers' security efforts. They suggest incorporating security into the company's culture, providing incentives and rewards, and ensuring leadership support and understanding of the importance of security for customers and end users.
Join host Gareth Davies in Episode 47 of Evo Cyber Security as he discusses "Bridging the Gap: Fostering Developer & Security Team Collaboration." Today's guests include Curtis Koenig, Head of Application Security at Gen Digital; Feng Zhu, Principal DevSecOps Engineer at xDesign; Jeevan Singh, Director of Product Security at Twilio; and Mark Goodwin, Application Security Lead at Matillion. Discover valuable insights into the world of cyber security, application security, and how these experts are working together to enhance digital protection. Tune in for expert discussions and actionable advice in the ever-evolving field of cyber security.
Remember Everything You Learn from Podcasts
Save insights instantly, chat with episodes, and build lasting knowledge - all powered by AI.
