Experts at Black Hat 2024 reveal how developers and security pros can collaborate better: from shifting left to embracing AI and prioritizing user experience.
In the ever-evolving world of cybersecurity, the relationship between developers and security professionals is crucial. At Black Hat 2024, industry experts shared their insights on how these two groups can work together more effectively to create more secure systems. This article explores critical areas where developers and security professionals can improve collaboration and practices.
Shifting Left: Security from the Start
Several experts emphasized the importance of integrating security earlier in the development process. Idan Plotnik, co-founder and CEO of Apiiro, suggests that "developers and security professionals need to focus on integrating AI security into their application security processes." This approach ensures that security is not an afterthought but an integral part of the development lifecycle.
Phil Calvin, Delinea's Chief Product Officer, echoes this sentiment, stating, "There's the known concept of 'shifting left'—moving security closer to the application development phase versus as an afterthought, which many organizations have adopted as a best practice."
Embracing AI and Automation
As AI becomes more prevalent in development and security, professionals in both fields must adapt. Katie Paxton-Fear, API Researcher at Traceable AI, notes, "We've seen AI and AI security move into focus very quickly, which is great news because we are finally developing security with the technology as it grows and matures."
Orion Cassetto, head of marketing at Radiant Security, advocates for "embracing the power of AI-based automation and intelligence for all manual tasks in the SOC."
Focusing on Data Stewardship
With data's increasing importance in modern applications, developers and security professionals need to prioritize data management. Amer Deeba, CEO and co-founder of Normalyze, suggests a "heightened focus on data stewardship. Developers and security professionals need to pivot their focus towards a deep understanding of the data they create and manage."
Adopting a Human-Centric Approach
While technology is crucial, several experts emphasized the need for a more human-centric approach to security. Rajan Koo, CTO of DTEX, advises, "Developers and security professionals need to start looking at cyberattacks with a human-centric lens." This approach involves understanding the intent behind behaviors, not just the technical signals.
Prioritizing User Experience
Security should not come at the cost of usability. The team at SquareX emphasizes that "security should never come in the way of user productivity. This should be the principle of any design." They suggest that cyber professionals should prioritize user experience alongside security principles.
Continuous Learning and Adaptation
Given the rapid pace of change in technology and threats, continuous learning is crucial. Antonio Sanchez, Principal Evangelist at Fortra, recommends "taking the time to mentor and train the next generation" in areas like vulnerability management, configuration management, and security awareness.
Improving Communication and Collaboration
Several experts highlighted the need for better communication between developers and security teams. Phil Calvin of Delinea stresses the importance of "greater transparency with security professionals, communicating the concerns and risks to developers." This open line of communication can lead to more secure and efficient development processes.
Resilience-Focused Development
Shariq Aqil, Global Field CTO at Zerto, emphasizes the need for a shift in focus:
"Developers and security professionals should focus on resilience, not just recovery. They need to ensure that their solutions are designed to recover from cyberattacks from every angle and bring the environment back online quickly."
This approach goes beyond traditional backup methods, encouraging teams to build systems that can withstand and rapidly bounce back from cyber incidents.
Addressing Hardware and Firmware Risks
Alex Holland, Principal Threat Researcher in the HP Security Lab, highlights an often-overlooked area:
"Security professionals can reduce hardware and firmware risks in their environments by taking the following steps. First, adopt Platform Certificate technology that enables the integrity of device hardware and firmware to be verified upon delivery."
This advice reminds us that security considerations must extend beyond software to hardware.
Implementing Zero Trust and Least Privilege
Bruce Esposito, Senior Manager of IGA Strategy and Product Marketing at One Identity, advocates for a more stringent approach to access: "Just as organizations today have a 'trust but verify' view of their people, they must do the same with AI." This perspective encourages developers and security professionals to implement zero-trust architectures and least-privilege access models, even when dealing with AI systems.
Enhancing Supply Chain Security
Javed Hasan, CEO and co-founder of Lineaje, stresses the importance of understanding the entire software ecosystem: "Any software that your company builds has a direct runtime dependency on the software that is bought." He encourages developers and security professionals to gain deeper visibility into their software supply chains and associated risks.
Leveraging Advanced Threat Intelligence
Steve Stone, Head of Rubrik Zero Labs, suggests a more proactive approach to threat detection:
"Security leaders must realize that they will never be able to fully quantify risk — or completely eliminate it. Instead, what they can do is get a handle on the most impactful levers, work to address predictable outcomes, and take distinct actions to change the risk calculus in their favor."
This involves leveraging advanced threat intelligence and focusing on high-impact areas of risk.
Embracing Secure-By-Design Principles
Kiran Chinnagangannagari, CTO, CPO, and co-founder of Securin, emphasizes the importance of secure-by-design principles: "Security teams need to roll up their sleeves and learn to code, while developers must embrace the 'secure by design' philosophy from the outset." This approach ensures that security is baked into the development process before being added as an afterthought.
Improving Data Visibility and Control
Jackie McGuire, Senior Security Strategist at Cribl, encourages a more holistic view of data:
"If teams focused more on building a strong data foundation, they would be better equipped to handle security challenges as they arise."
This involves improving data visibility across the entire infrastructure and implementing robust data control measures.
Conclusion
As the cybersecurity landscape evolves, the relationship between developers and security professionals must adapt to meet new challenges. These industry experts' insights underscore the multifaceted nature of modern cybersecurity and provide a comprehensive roadmap for better collaboration and more robust practices.
By shifting security left, embracing AI and automation, focusing on data stewardship, and adopting human-centric approaches, teams can lay a strong foundation for security. Furthermore, implementing zero trust models, enhancing supply chain security, and addressing hardware risks expand the scope of protection. Prioritizing user experience ensures that security measures don't impede productivity, while committing to continuous learning keeps teams ahead of emerging threats.
The key takeaway is clear: effective cybersecurity is not just about adopting new technologies or following best practices. It's about fostering a security culture permeating every aspect of the development and operations process. By embracing these diverse approaches and improving communication, developers and security professionals can work together more effectively to create more secure, resilient, and effective systems in the face of evolving cyber threats.
Ultimately, by continuously learning, adapting, and collaborating, these two groups can stay ahead of threats and build truly robust systems that withstand the test of time and the ever-changing threat landscape.
Comments