Why are development and security teams often at cross purposes? How can product owners, developers, and infosec teams collaborate to achieve their goals? To answer these questions, let’s look at a rivalry that started with a classic ’80s movie, “The Karate Kid.” In the climactic scene of the movie, Daniel, who only uses karate in self-defense, faces Johnny in a tournament. Johnny, on the other hand, believes in the “strike first, strike hard” mantra of the Cobra Kai dojo, and the match turns vicious.
Despite the odds, Daniel beats Johnny and wins the tournament. Decades later, their rivalry continues in a new series, “Cobra Kai.” In the present day, Daniel and Johnny set up competing dojos to teach high school students their different karate methods. Ultimately, the two men team up (with a few stumbles along the way) and teach both styles of karate to defeat their common enemy.
When development and security teams are siloed, their objectives will naturally be at odds. Development’s top priority is features at speed. Security, on the other hand, is responsible for protecting the data and, therefore, the application that collects, uses, and processes that data. Security assessments and checks often add time to the release cycle, which can run counter to the development team’s goal of releasing quickly and frequently.
The “Cobra Kai” Solution To The Conflict Between Speed And Protection
Just as Johnny and Daniel learned from each other, developers can learn defensive techniques from security pros, and security can learn how to keep up with development so features can strike first and hard. Here are five concepts from “The Karate Kid” and “Cobra Kai” that can help turn disparate teams into an unstoppable alliance:
- Break down silos to form one dojo. Just like Johnny and Daniel join forces to create a more powerful karate style, build a culture where development and security are on the same team. Start by involving security in the earliest stages of the product lifecycle. When a new technology stack is being considered, such as moving to containers or serverless functions, security can raise awareness on security challenges, common issues, and any known exploits. Together, security and development can determine how to utilize the new tech stack securely and without incurring more risk to the business. The team velocity increases as security requirements are designed into the product from the start, rather than bolted on at the end.
- Empower developers with the “crane.” In “The Karate Kid,” Daniel uses a move called the “crane” to feel empowered and win. In the same way, security can empower development to secure what they sell. Security teams can do this by providing secure coding best practices, supplying secure libraries and frameworks, and training developers on remediation techniques.
- Shift left and wax on. The earlier a security issue can be identified, the easier and cheaper it is to fix. Integrating and automating security testing tools in the CI/CD pipeline creates a feedback loop to address important findings while the code is fresh in developers’ minds.
- Protect right and wax off. Deploy application protection and monitoring in production for another layer of defense. Even the best prelease efforts can’t detect every security issue prior to deployment. For example, runtime application and API protection tools can detect and block attacks such as SQL injection, remote code execution, or unauthorized actions. Development teams moving to the cloud can code security protections into deployments by declaring security best practices, such as the principle of least privilege, in their infrastructure-as-code scripts.
- Deploy your “flying tornado” with a security champions program. In “Cobra Kai,” Johnny teaches his students a winning move called the “flying tornado.” A developer security champion could be the flying tornado of the alliance between security and development at your organization. In a developer security champions program, developers who are interested in security volunteer to learn about application security and then serve as a liaison between development and security.
While we have to wait another year for season five of “Cobra Kai,” you don’t have to wait to apply these DevSecOps lessons. Schedule a meeting with me to get your organization on the path to a DevSecOps black belt.
(written with Isabelle Raposo, research associate)