{"id":101563,"date":"2019-08-21T13:51:01","date_gmt":"2019-08-21T20:51:01","guid":{"rendered":"https:\/\/www.paloaltonetworks.com\/blog\/?p=101563"},"modified":"2019-08-21T13:51:01","modified_gmt":"2019-08-21T20:51:01","slug":"uniting-dev-and-sec-teams","status":"publish","type":"post","link":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/2019\/08\/uniting-dev-and-sec-teams\/","title":{"rendered":"Uniting Dev and Sec Teams by Putting Security First"},"content":{"rendered":"<p><span style=\"font-weight: 400;\">From product teams to architects to developers, \u201c<\/span><a href=\"https:\/\/www.paloaltonetworks.com\/blog\/2019\/07\/4-practical-steps-shift-left-security\/\"><span style=\"font-weight: 400;\">shift left\u201d <\/span><\/a><span style=\"font-weight: 400;\">security is becoming more an integral part of everyday vocabulary. It is generally understood across technology departments that the old way of doing things, where developer teams deployed code into production before security teams tested this code for vulnerabilities, was inefficient and brought about a number of costly security outcomes. Shifting left reduces risk, is cost efficient and strengthens security.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">Many companies are still struggling to \u201cshift left,\u201d despite its known advantages. Some developers are still saying, \u201cSecurity isn\u2019t my job, that\u2019s for the security team!\u201d Security teams are still telling developers to go back and fix their security mistakes with little collaboration between the two teams.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">Fortunately, there are actionable steps that companies can take to help facilitate this cultural shift and get all teams involved in software delivery, marching together to the left. Here are four action items intended for managers and security teams to help enable DevSecOps:<\/span><\/p>\n<p><b>1.\u00a0 Setting realistic deadlines:<\/b><span style=\"font-weight: 400;\"> Management often sets a deadline based on what the stakeholders tell them. Then, when something goes wrong, developers scramble to make up for lost time. Faced with pressures to deliver on time, security is generally the first thing developers let slip.\u00a0<\/span>Instead, IT managers should expect that incidents will happen and make allowances for these as part of the project delivery timeline. When a delay occurs, management should never punish developers. This may mean having that tough conversation with the project stakeholders where you say, \u201cWe will be late because security matters to us.\u201d By providing developers with support to prioritize security, you are teaching them its importance and influencing a shift towards a security-minded culture.<\/p>\n<p><strong>2.\u00a0\u00a0<\/strong><b>Hiring and training security engineers who code:<\/b><span style=\"font-weight: 400;\"> In order for the two teams to collaborate, security needs to be able to help developers solve their problems. By hiring security engineers who code (and training the ones you already have in coding), security can approach developers with the attitude of \u201cWe\u2019re going to figure this out together.\u201d<\/span><\/p>\n<p><b>3.\u00a0 Internal rebranding for SecOps<\/b>: It\u2019s a good idea for security teams to come up with a new name to help reposition themselves in the minds of developers and shed pre-existing reputations. Consider a fun acronym like Development Operations Partners in Excellence, or \u201cDOPE\u201d team. The name should denote a partnership with developers.<\/p>\n<p><b>4.\u00a0 Automation:<\/b> Automate security best practices via <a href=\"https:\/\/www.paloaltonetworks.com\/cloud-security\/public-cloud-products\">API-based tools<\/a> that inject security into the CI\/CD pipeline every step of the way. By implementing tools that automate security you are giving developers the support they need to build in security without asking them for too much heavy lifting.<\/p>\n<p><b>Beating the drum to march to the left<\/b><\/p>\n<p><span style=\"font-weight: 400;\">Some security managers make the mistake of bringing the hammer down on developers, thinking this will make them care more about security. But shifting left doesn\u2019t require calling people out; it requires calling people in.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">For a firsthand account of how DHI Group successfully shifted their security left, check out this blog, \u201c<\/span><a href=\"https:\/\/docs.google.com\/document\/d\/17x3e2RIKFxq28o9-X30HmYSl0MJAafkvJv6I5iYJIgw\/edit?usp=sharing\" rel=\"nofollow,noopener\" ><span style=\"font-weight: 400;\">From \u2018DevOps vs. SecOps to DevSecOps<\/span><\/a><span style=\"font-weight: 400;\">.\u201d Also, to learn about an API-based tool that can help your organization unite Dev and Sec teams, I encourage you to check out a Prisma Cloud <\/span><a href=\"https:\/\/www.paloaltonetworks.com\/events\/live-demos#cloud\"><span style=\"font-weight: 400;\">daily demo<\/span><\/a><span style=\"font-weight: 400;\">.<\/span><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Many companies are still struggling to \u201cshift left,\u201d despite its known advantages. Fortunately, there are actionable steps that companies can take to help facilitate this cultural shift and get all teams involved in software delivery, marching together to the left. Here are four action items intended to help managers and security teams enable DevSecOps:<\/p>\n","protected":false},"author":662,"featured_media":101564,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[6768],"tags":[1665,6787],"coauthors":[6839],"class_list":["post-101563","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-secure-the-cloud","tag-devops","tag-prisma"],"jetpack_featured_media_url":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-content\/uploads\/2019\/08\/dev-sec-ops-2.jpg","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/posts\/101563","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/users\/662"}],"replies":[{"embeddable":true,"href":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/comments?post=101563"}],"version-history":[{"count":7,"href":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/posts\/101563\/revisions"}],"predecessor-version":[{"id":101584,"href":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/posts\/101563\/revisions\/101584"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/media\/101564"}],"wp:attachment":[{"href":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/media?parent=101563"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/categories?post=101563"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/tags?post=101563"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/coauthors?post=101563"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}