In many organizations, building and securing apps has typically been a siloed affair. The product owner, the network engineer, the developer and the security engineer all come from different teams. And all too often, these teams become fiefdoms that believe their focus is the company’s primary objective.
Today with Agile and DevOps moving faster and faster, this methodology has become a risk in itself. Since the security team often lacks up-front knowledge of the project, the threat model assessment is done after the fact. Controls amount to a wrapper around any new application or service because the security team steps in late as the security czar without really understanding why the business is developing the app in the first place. Then the business can’t release the new application on time because the threat model assessment can take weeks or months to accomplish.
If this is happening in your organization today, we would say that you, as a security person, have become a form of friction. Your approach to security amounts to swooping in and potentially delaying a project by months. As a result, other teams may delay or even avoid reaching out. And that means risk.
Read the full article published May 29, 2019 here: https://www.securityweek.com/get-cross-functional-learn-let-go-and-embrace-devsecops by SecurityWeek.