In "Hey Security People: Developers Want Secure Code Too" Pixee CTO Arshan Dabirsiaghi discusses the stumbling blocks that arise between developers and security teams, and shares his advice for overcoming them.
“I've been working in software security for 20 years with companies of all sizes, and when I hear security people interact with developers… my impression is that security people aren't really "getting" them… The developers I know are generally passionate people who want to build cool stuff, and take pride in their work. They're fascinated by exploits. They view security problems as embarrassing and try to fix real issues quickly.”
For organizations looking to bridge the gap between their development and security teams, Arshan emphasizes the importance of:
Incentivizing security throughout the development process: Security should be a collective responsibility, not just the domain of the security team.
Empowering Developers with non-disruptive, high-quality security tools: Most security tools are noisy and painful to work with. Developers need tools that do more than warn and alert, they need tools that help fix the problem.
Cultivating effective collaboration through an empathetic mindset, open communication, and ongoing education: Differing skill sets and perspectives are at play. Taking the time to better understand each team’s motivations and pain points leads to harmonious outcomes for all.
Addressing these areas can help create lasting successful partnerships between developers and security professionals, and effectively increase product security.
For the full blog post, see: https://nahsra.hashnode.dev/hey-security-people-developers-want-secure-code-too