When asked about how the security team can effectively collaborate with the development organization, Wendy (with tongue in cheek) responded:
- “Personally I have always been a fan of bribery. Buying food, lots of drinks.”
Wendy went on to provide the following advice:
- “Helping the developers achieve their goals, not your goals, is what is going to lead you to working better together. If they feel that you are on their side, that they see you as assistance not as an obstacle. You really need to spend time with them, learn about what they are trying to do, see if there is any way you can help even if it has nothing to do with security.”
We took this approach and extended it in the design of the Sonatype CLM. We realize that if the security, licensing, development, and IT Ops teams are not on the same page, that application risk will not be managed effectively. We account for today’s modern development approach that uses short sprint cycles as part of an agile methodology.
- The CLM provides guidance throughout the development lifecycle. The CLM prevents problems by providing information early in the lifecycle vs. a phonebook of potential issues that the developer has to address just before production.
- Policies can be implemented that provide flexibility to the developer early in the development lifecycle while locking down production deployment. The CLM doesn’t force the developer through a laborious approval process before they can use a component.
- The CLM allows the security team to assess overall enterprise risk and policy compliance. This information makes it easy for the security team to communicate with development management and executives.
To see how policies can actually speed development & improve collaboration, check out the “Implement flexible policies that speed agile development with guidance for each lifecycle stage” section of the product tour.
Make sure you read Wendy’s research Mission Impossible: securing the open source software supply chain with Sonatype.