10 Reasons Why Developers are Frustrated with Security and How to Fix it

The RSA Conference 2021 Virtual Experience is happening May 17-20 and Symantec, as a division of Broadcom, will be providing a summary of some of the leading stories from the conference to help you stay informed.

A DevSecOps team requires smooth teamwork between security experts and software engineers to meet ambitious release cycles. But keeping these teams aligned is easier said than done. One of the security industry’s leading trainers contends that security pros often rub developers the wrong way and recommends that they build empathy to strengthen their bond.

In his RSA Conference 2021 session called “Developers Dislike Security: Ten Frustrations and Resolutions,” Christopher Romeo, CEO of Security Journey, which offers application security training programs, sought to raise awareness of the at times tense relationship between developers and security experts. One sticking point is that security pros often fail to understand coding and don’t appreciate “the real struggles with implementing security and still pushing features and bug fixes into production.” 

Romeo not only catalogued the frustrations that many developers feel about security and their security counterparts, he’s also identified potential resolutions that he offers as recommendations to security team leadership. Romeo says his most controversial idea is that security professionals should learn to code, or at least read it, because “it is frustrating for developers to be coached, governed or managed by folks who don’t know how to code.”

10 Frustrations and Resolutions

1. Security doesn’t understand what I do and doesn’t know how to code.
   Resolution: Become a developer and learn how to code.
   
   As a security person you’ve got to understand how the code works, says Romeo. This effort would indicate to developers that you care about their plight.

2.  Nobody ever showed me how to “security.”
   Resolution: Build a security coaching practice and education program.
   
   How can developers be expected to master security and privacy principles when they’ve had no particular training in it? Listen to developers, ask what help they need, and build solutions to teach and coach, recommends Romeo.

3. I don’t know why we put so much effort and time into security.
   Resolution: Start with why and security ROI.

   When security pros take the time to explain why things matter, they can get developers on board with their mission. Sell this to developers by explaining “the less rework we can do, the more cool new features we can add as developers,” says Romeo.

4. The security process is difficult or undefined.
   Resolution: Use the SDL (Security Development Lifecycle) as guardrails.

   Give developers clear instructions and predictability, especially when it is difficult for them to gauge how much time they will need on an assignment.

5. Security changes their minds all the time.
   Resolution: Gain understanding and offer a second opinion.

   “We don’t change our minds, we reinterpret the data,” security pros may counter. According to Romeo, security needs to admit when they’re wrong and move on.

6. Not enough time to do security.
   Resolution: Raise awareness about security resource needs.

   As developers start to receive necessary management support, the more productive they become with security, says Romeo.

7. Security is a silo and acts as a gatekeeper.
   Resolution: Partnership, not gatekeeping.

   If you treat developers as true partners, they will seek opportunities to reciprocate, says Romeo.

8. Security busy work.
   Resolution: Optimize the process and no busy work!

   No one likes to perform “busy work” tasks. Developers prefer work with meaning and value, explains Romeo.

9. The sky is always falling — we never celebrate success.
   Resolution: Celebrate security wins.

   Recognize security achievements because people want to work where their efforts are valued, says Romeo.

10. Security tools are loud, obnoxious, and inaccurate.
    Resolution: Tune the tools.

    Properly tuned tools provide security and privacy value for developers. And if they can’t be tuned, replace them, recommends Romeo. 

Confused about what to do first? Assess how your organization is performing against this list of frustrations, suggests Romeo. If the complaints ring true, try job shadowing. Security pros should hang out with a developer for at least a week and practice empathy with them. Romeo believes your developers will thank you and your DevSecOps team productivity and camaraderie will improve.