The relationship between development and security teams is often contentious. Security might see developers as a liability when it comes to protecting data and systems, and developers often view security as a disruption to their workflow.
Both parties are right if the organization in which they work fails to create an environment of collaboration and shared goals between development and security. Without that kind of culture, the two groups will inevitably be at odds with one another.
DevSecOps is an approach where security becomes an integral part of the development process. It requires developers and security personnel to have a mutual understanding and respect for what the other group does. A successful DevSecOps process reduces stress on both teams and avoids vulnerabilities being inadvertently built into the code.
The three companies profiled here—Microsoft, Verizon and the Pokemon Company—have very different business models and security needs. However, they all benefited from taking a DevSecOps approach to their internal development process.
Verizon developer dashboard provides vulnerability visibility
Verizon IT’s AppSec team needed a way to facilitate secure DevOps practices as it moved to the cloud. They also wanted to drive a culture change within the company. “We needed something that is more sustainable that can help us build a larger influence of our centralized team, and at the same time, not burn the IT application team by keep dumping more work on their to-do list,” explains Manah Khalil, IT director of application security.
To accomplish those goals, they adopted a DevSecOps approach, but they still had to convince developers to accept it. To help with that and nurture a security culture, Verizon created the developer dashboard program. It combines technical aspects of vulnerability management with individual accountability to help instill a security mindset among the company’s developers.
The developer dashboard is a centralized, real-time record of how vulnerabilities are introduced into applications within Verizon’s business. It keeps track of scanning frequency and results, as well as the types and density of vulnerabilities within any one of the 2,100 applications being monitored (measured per 10,000 lines of code). It provides a view of where in the development lifecycle that vulnerability was introduced and by whom.