Anushika Babu
March 24, 2023

Security and Engineering Can’t Get Along

Table of Contents:

  1. Introduction
  2. How to Bridge the Gap Between Security & Engineering Teams?
  3. Training: A One-Stop Solution


It’s not news that the security and engineering teams are always at loggerheads. Neither can agree on a common goal, resulting in a communication breakdown and productivity loss. So, how can team leaders end the perpetual conflict and foster collaboration instead? We’ll tell you how.

How to Bridge the Gap Between Security & Engineering Teams?

Security teams like double-checking things and ensuring no loopholes or data threats are present. While engineering teams are more inclined towards innovating newer solutions. This can lead to further disagreements. 

Teams nowadays need to release software at a rapid pace to stay competitive. This means security gets deprioritized most of the time. The issue often stems from the product teams' unwillingness to associate ‘quality’ with ‘security’.

Companies often conduct security testing annually to clear audits. As soon as compliance mandates are fulfilled, security concerns are usually forgotten. This persistent culture of "security comes last" severely heightens friction between both teams.

But you can still do a few things as a team lead or CISO to encourage collaboration and communication between teams. Let’s look at 3 steps that can make security more efficient.

Step 1: Make Security Testing Regular and Ongoing

Regular security testing lets both teams better understand each other's goals and responsibilities. Security professionals can gain a better understanding of the engineering process. Similarly, engineers can gain a better understanding of the security process. This leads to improved communication and trust between the two sides. Both parties become more aware of each other's roles and responsibilities. 

Security testing also lets security professionals stay current on the latest security threats. This helps them provide timely and effective advice to engineers on mitigating those threats. Security engineers cannot run a test or two yearly and give meaningful feedback. 

AppSec must keep pace with your rapid release cycle. This means every new build needs to be tested for security. Therefore, making security testing regular helps to foster a culture of collaboration.

Step 2: Bring Down Silos in the Product Team

It’s common to see teams involved in a project working in a vacuum, barely communicating. This is the quickest way to deprioritize security and often comes at the SDLC's end. But involving security teams throughout the SDLC allows for early detection and easy mitigation of loopholes.

Bringing down silos in a product team can improve the relationship between the two teams. This step can create a more open environment for collaboration and dialogue. It can reduce the risk of miscommunication and help quickly identify potential risks. 

Involve your security team from design to development, production, and beyond. They can:

  • Create user and abuser stories
  • Map threat scenarios
  • Identify key security controls

Remember to iterate, get feedback, and improve incrementally.

Also, the engineering team needs to give the security team access to the DevSecOps pipeline. Security engineers can bring in their arsenal of tools that can be automated for continuous testing at a much higher frequency.

Step 3: Automate Security Testing

This is the foundation of DevSecOps. It includes automating SAST, DAST, and SCA protocols. You can count on the following:

  • Frequent testing  
  • Vulnerabilities cleaned up for false positives and prioritized 
  • Results being sent as tickets to developers for remediation

This feedback loop allows developers to fix bugs as part of sprints much faster. Proper integration of security activities into the DevOps pipeline is also facilitated. Doing this will ensure your products are much more secure without sacrificing deadlines.

Automated security testing can help eliminate the need for manual testing, and it also provides more consistent and accurate results. Manual testing can be tedious and time-consuming for security professionals. 

This way, engineers trust the security teams' recommendations, making them more likely to follow security best practices. Automated testing will reduce the time security professionals need to spend on testing. This will let them focus more on developing security strategies, policies, and procedures.

Training: A One-Stop Solution 

Training can help improve the relationship between security professionals and engineers. This way, both teams understand each other's roles and responsibilities better. Both can also identify areas of overlap and collaboration. we45 can help organizations to train their in-house security teams effectively.

Security and engineering teams can take our training, and everyone can become security-savvy. At we45's Instructor-Led Training, we provide our lessons in lab environments modeled after real-world security incidents.

Your teams can create customized defense systems using our ADD (Attack, Detect, and Defend) Method. For more details, connect with us today!