Cracking the code to overcome developer and security team differences

Not long ago, narrow interests governed IT operations. Each business function had separate sets of vendors, applications, or hardware preferences. Eventually, organizations realized that these business silos resulted in operational inefficiencies such as missed growth or cost-saving opportunities.

However, the vestiges of siloed thinking and tribalism remain. When developer and security teams clash, it manifests in:

• Software vulnerabilities
• Slowed development
• Misaligned toolchains
• Corrosive cross-team communication

The dysfunction of the Dev and Sec teams reflects competing priorities and expectations. The Sec team wants Devs to share their focus on data protection and preventing breaches. Instead, the Dev team prioritizes speed, innovation, meeting marketplace demands, and improving the user and developer experience. Devs dislike it when Sec teams impose obstacles that slow down their efforts. “Nearly 8 in 10 CISOs (77%) and more than two-thirds of developers (68%) agree that the need to prioritize security causes tension between their teams,” according to a recent software security study. In the report, 82% of developers agreed that software “security practices shouldn’t make it more difficult for them to get their work done.‍”

The key to fixing this friction involves the promotion of a relatively new concept: platform engineering. Learn how implementing the right consolidated internal development platform (IDP) can nudge your Dev and Sec cultures in the right direction — toward collaboration and away from conflict through tooling and automation.

»Legacy patterns cause continued friction

The Dev and Sec disconnect stems from outdated on-premises datacenter tooling, workflows, and organizational structures that aren’t suited to building and operating cloud applications. Sec teams still implement ticket-based workflows along with manual toil and reviews in Dev workflows to help catch vulnerabilities before apps go into production. Dev teams often push back on controls — saying they shouldn’t have to be experts in security and can’t meet deadlines when these extra responsibilities and slow workflows are imposed on them.

»DevSecOps and automation tooling sprawl

DevSecOps teams were an early solution to help bridge the process gap but they sometimes end up extending the Dev and Sec tool misalignment. These teams are tasked with deploying more automated checks and processes with fewer manual approvals or ticketed workflows. However, the proliferation of too many tools, with each team picking favorites and not standardizing with the wider organization, forces security teams to protect a wide surface area and complicates the challenges of securing access to machines, people, and networks. DevSecOps also struggles when they add so many tools that their Dev and Sec teams lack proper visibility and control over their cloud infrastructure and security.

»Valuing new platform workflows

Preventing or recovering from this “wild west” tool-picking scenario requires the creation and intervention of a platform team to rein in the chaos that comes with not having standard tooling platforms and workflows across an organization. The platform team can elevate cloud security by implementing a unified approach to deploying, securing, and managing applications. Integrating security best practices into developer workflows (often called a “shift-left” approach) secures cloud software without slowing development.

How does the new platform deliver sustainable value? Striking a balance between security and speed, the new platform workflows must:

• Accelerate developer velocity for launching new infrastructure securely
• Secure keys and credentials that applications use with minimal developer friction
• Provide faster access to a tightly defined list of privileged systems
• Connect services quickly and securely over the network
• Speed up debugging and auditing

The list of tools to build this platform should be decided on with the help of champions in the Dev and Sec teams. As Kelly Monteith, Global Public Cloud Lead at AXA Group, explains it. “We've seen developers are a funny bunch. If you don't give them the tools, they're engineers; they're going to invent something. They're going to build it themselves. They probably won't consider all of our security or compliance needs that we have, so our approach is not to mandate the use of something, it's try to provide the services that those developers are asking for."

»Reducing stress and advancing security

Looking back on the past few decades of enterprise computing, one can quickly point to periods when decentralized and highly manual tasks or vendor-specific toolchains were the dominant choice. Yet, in this highly regulated, cloud-driven development age, there’s never been a greater need for secure software supply chains, cross-team collaboration, automation, data-sharing, and broad observability. Those conditions underscore the advantages of flexible yet highly secure and centralized controls.

Executives and managers can take years shopping for dozens of products to meet those conditions, or even longer trying to manage initiatives to roll their own toolchains. About half of CISOs already know that consolidation is the right path, but it’s not easy. What IT leaders really want are not just tools and products, they want partners who will help support their teams on their digital transformation journeys.

HashiCorp is one of those trusted partners to thousands of customers with a consolidated solution: The Infrastructure Cloud. Built on the ideas of Infrastructure Lifecycle Management and Security Lifecycle Management, the Infrastructure Cloud includes the world’s most popular infrastructure as code provisioner, HashiCorp Terraform, and the gold standard of secrets management platforms, HashiCorp Vault. Along with other products, organizations can deploy Terraform, Vault, and other components of the Infrastructure Cloud as on-prem, self-managed software, or as managed services on the HashiCorp Cloud Platform (HCP).

The HashiCorp infrastructure and security products enable teams to reduce Dev and Sec team stress, improve efficiency, and implement security best practices at all layers of cloud software development by building an end-to-end cloud IDP. These products reduce the burden on Devs to directly address security requirements and accelerate their ability to deploy application infrastructure. It also means fewer tickets and easier visibility and involvement for security teams.

The Infrastructure Cloud’s platform approach eliminates error-prone manual provisioning workflows and replaces them with standardized, secure modules and artifacts for reuse. Getting developers and security teams on the same page starts by deploying secure cloud development tools that “shift left” to reduce team stress and enhance productivity.

Click here to learn more about preventing conflict in the cloud between development and security teams.