IT security and development teams are divided over who is and who should be responsible for securing software, a new report from cybersecurity company Venafi has shown.
When asked who is responsible for software security at their organisations, the sample of 1,000 DevOps and Sec professionals were equally split, with 48% saying development were and 48% saying IT security were.
Of far greater concern is the divide over who should be responsible for software security. Only 58% of IT security felt that their team should fortify build pipelines compared to 53% of development believing they should.
This lack of accountability seems concerning, but vice president of security strategy at Venafi, Kevin Bocek, explained it as such: ““Traditional roles are unclear about who is responsible for securing software pipelines – engineers build code, while security teams protect the business. But who protects software developers and who can understand how to protect the code developers write? That’s why we see development teams hiring security engineers, and security teams recruiting coders.”
This lack of alignment for who should be responsible extended to executive leadership as well, with 48% favouring IT security, 39% favouring development, and 12% believing both share responsibility.
“Most respondents are fundamentally ambivalent about their ability to defend against attacks on software development, and this is a clear indication that leadership teams need to establish clear priorities and strategies for this critical area of security,” added Bocek.
Considering only 20% of respondents were ‘completely confident’ in their organisations ability to defend against a cybersecurity attack, Bocek’s point on establishing priorities rings especially true.
Venafi concluded that to successfully enhance software security, engineering teams—which encompass product development engineering, infrastructure engineering and product security engineering as well as application development—must take the lead. The report claims that ‘only engineering has the visibility and span of control to effect the necessary changes.’
However, these teams will need the guidance and expertise InfoSec can provide to ensure that security controls are effective and corporate policies are being enforced.
Want to learn about DevOps from leaders in the space? Check out the DevOps-as-a-Service Summit, taking place on October 7 2021, where attendees will learn about the benefits of building collaboration and partnerships in delivery.
