A survey of 99 application development and IT security professionals suggests organizations that appoint a security champion within their application development teams are making more progress toward implementing best DevSecOps practices.
According to the survey conducted by ZeroNorth, a provider of an application security automation and orchestration platform, 84% of respondents said they believe the efforts of dedicated security champions have both bolstered application security (AppSec) and improved relationships between security and DevOps teams.
More than two-thirds of respondents (67%) said a security champion initiative has existed in their organizations for less than two years, with almost 40% reporting an initiative being in place for less than one year.
Among respondents from organizations that have such programs, 78% of respondents said the program has strengthened the security skills and knowledge of developers, with 77% reporting their organization’s overall AppSec posture has improved. Half of the respondents (50%) noted having a passion for security is a characteristic of any successful security champion.
More than half of respondents (56%) said support from corporate security leadership was a top requirement for the success of security champion, while 47% said support from engineering leadership was also required.
In addition, 57% of survey respondents said corporate security teams should also play a role in defining security priorities, while 47% said they should be involved in training best practices.
ZeroNorth CEO John Worrall said the survey results show security champions within application development teams are becoming a unifying force that drives increased levels of collaboration between DevOps and security teams. In effect, the security champion functions as an ambassador for the security teams among developers, who typically don’t have a lot of security expertise, he noted.
At the same time, security champions within application development teams increase the confidence security professionals have in developers as responsibility for AppSec shifts further left toward DevOps teams, Worrall said.
Collaboration between those teams is more critical than ever as organizations embark on digital business transformation initiatives that are likely to become primary targets of cybercriminals, who increasingly are focusing their efforts on high-value targets, he added. The challenge now is finding a way to automate DevSecOps workflows to make sure that the rate at which those applications are being developed is not impeded by manual security reviews or security scans that take too long to run, said Worrall.
The level of progress organizations are making toward embracing best DevSecOps practices is, of course, uneven. However, it’s become apparent that continuing to rely on understaffed security teams to review applications for security flaws before they are deployed in a production environment is no longer practical. But finding a security champion with the appropriate level of application development expertise is no easy task. Merely adding someone from the security team into a DevOps team isn’t likely to succeed if that individual has no development experience. In fact, it’s often easier to teach developers about security than it is to teach cybersecurity professionals how to code. The issue is finding a developer whoDev has a zeal for security that is contagious enough for the whole DevOps team to eventually catch.