Top 10 DevSecOps Challenges #10: Communication

  • Share on Twitter
  • Share on LinkedIn
  • Share on Instagram

Adding automation to one part of a process can then flood another part of a process. With DevSecOps, we’re allowing more security tools to find more issues in more projects. 

On the face of it, that’s a good thing, however, it will result in developers (who are sent the new issues) asking more questions to the security team. This burns a lot of security teams’ time, is boring and repetitive and slows down the time dev takes to fix. All of this is bad for business.

Previously, we've explored how DevSecOps can refine a number of issues facing communication. It does this by focusing on the changes since the last run, prioritising issues so the major ones are flagged and hiding away all the false positives, duplicates and non-issues.

We also looked at how DevSecOps processes and tooling can also improve the communication of metrics so that stakeholders can view the current state of security, mean time-to-fixes, numbers and types of issues, all broken down by projects and teams. 

It’s important not to underestimate the importance of these measurements. By showing the effectiveness of what we’re doing and the improvements being made, the case can be made for the budget needed to continue to implement and improve DevSecOps going forward.

However, a major issue we continue to see is the increase in time taken on other communications around DevSecOps. Luckily, we’re taking a closer look at this issue and what can be done to fix it.

Problems with finding issues at a faster pace

Any developer will tell you - flooding a team with security issues is the easiest part. Providing effective communications when developers are tasked with fixing these issues is the important bit.

Sometimes a description, fix or remediation provided by a security tool is good enough to describe the issue and allow a fix to be applied. This can be a real differentiator for the top commercial vendors, who have put a lot of time and effort into their security fix documentation. However, for the majority of security tools, the descriptions are not enough. There have been so many times we’ve looked up a CVE online to find a lack of information about what the issue or fix is.  

Then there are the times that the best fix or procedure to fix is company-specific. Security teams can often send out advisories or document ways particular issues should be addressed - especially if those categories of issues are appearing often. 

For example, take an interface that is not protected by TLS. Your company security policy may allow this in certain cases or you may need to contact a particular team to obtain the right type of certificate for the connection. Maybe the organisation is using a purchased wrapper library for SQL interactions that protect against injections and its own rolled validation code isn’t allowed. Often, there’s some security policy or standard or advisory that dictates how security should be done for certain circumstances.

With development teams being bombarded with communications from every department, the main time a developer will be interested in security is when a security bug needs to be fixed.

In these types of scenarios, there is a massive weight put on the security teams to answer all of these questions and restate the same advice over and over again. Remember developer numbers will typically outweigh security teams. 

Security teams generally can’t scale the same as engineering teams, which means devs have to wait for answers from security (and move on) or Google the answers for themselves, which opens the door for more wasted time. So by automating DevSecOps, you’re about to accelerate the pace at which those questions are going to come in.  

Alleviating the pressure put on security teams

Allowing your DevSecOps tech or platforms to help ease this communication can again reduce the pressures on your dev and security teams. For example, simply setting up your tech to include custom information or messages specific to your organisation (i.e. our policies are X, contact team Y for certificates, use library Z) can get this information instantly to the teams who need it. This scales well and gives a centralised place where those technical or policy updates can be easily disseminated to all the relevant teams.

This frees your security experts up to do more relevant tasks, instead of repeating the same information to different teams and burning up their usable time. There are many reasons why people get interested in working in security, but documentation, report writing or repeating the same advisories over and over again are rarely top of the list.

This can have a major impact on the speed of fixes applied by developers. Devs are getting the right advice as they’re about to apply the fix, they don’t need to draft questions to the security team and wait for a response. 

With this in place, measures of mean time-to-fix will reduce, as will the time devs and security teams have had to spend on the issue. 

Everyone wins, as the sooner security issues are found, the cheaper they are to fix. 

How the Uleska Platform streamlines DevSecOps

The Uleska Platform allows you to set these security advisories to save security teams’ time and improve the speed and scale of security communications. For various categories of bugs, security teams can centrally provide advice on how the bug can be fixed, including any company-specific information like teams to contact or technology to be used.  

Then, when any issue of that category is found by a security tool and passed through the Uleska Platform, that custom advisory can be automatically added, passing through to communications with the development team (via their CI/CD pipeline, ticketing systems, reports, etc).

This means:

  • Security personnel can write the advice once and it’s automatically passed out to all development teams as they experience the issue. This saves time and scales the messaging as needed.
  • Development teams are getting the advice when they need it - when the issue is found and they’re looking to fix it.
  • If the security advice needs to be updated, this again is done centrally in the Uleska Platform, resulting in all-new instances of that issue category having the updated advice from that point onwards.

To discover more about the challenges of automating DevSecOps and how to overcome them, check out our playbook. 

Discover how to overcome the challenges of DevSecOps

The problem with DevSecOps is incorporating many layers of security tasks into the fast-paced software development cycle. Thankfully, there are a variety of things you can do to overcome the challenges faced. In our playbook, we cover the top 10 challenges of automating DevSecOps, while also delivering actionable advice on how to overcome them.overcome the challenge of devsecops

Subscribe to the Uleska blog

You may unsubscribe at any time using the unsubscribe link in the newsletter.

Popular Articles
Visit the Blog
Managing Risk

Speed up Pipelines Using Automated Risk-Based Decisions

Last week we discussed how using risk-based decisions can help speed up pipelines. You can watch the webinar on demand and read a summary of the...


Can DevSecOps Tools Open Security Testing To Everyone?

At Uleska, we focus on moving security testing away from experts running manual tests and move it to automating security checks into existing...

Company News

Start your DevSecOps journey with the Uleska free plan

Companies are developing and shipping software faster than ever before. The very nature of DevOps means that developers can work in an always-on...


Top 10 DevSecOps Challenges #9: Security Metrics, Insights and Continuous Improvement

Many security departments and management teams want to improve their processes. DevSecOps introduces the ability for much more granular measurements...


AppSec ❤️ DevOps: Bridging the DevSecOps Disconnect

It’s a tale as old as time: developers want to ship an app but are lambasted with security requests, and security teams want to secure an app but are...

Managing Risk

Top 10 DevSecOps Challenges #8: Adding Risk Prioritisation to Your Pipeline Security

DevSecOps increases the number of issues found and the speed at which they’re to be dealt with. In reality, only a small number of issues will pose a...


Top 10 DevSecOps Challenges #7: Mapping security automation to how development works

All teams present in the app development process have pressures on them to get work done fast and efficiently.  With DevOps processes and CI/CD...


Top 10 DevSecOps Challenges #6: The all-important triaging of security issues

Security tools can be noisy. In 20 years, we haven’t seen a single security tool return a set of issues that are 100% what needs to be worked on....


Top 10 DevSecOps Challenges #5: Running too many security tools in CI/CD

DevSecOps involves setting up many different automated security tools to cover all bases. It’s not uncommon for organisations to run tons of security...


Top 10 DevSecOps Challenges #4: Using DevSecOps to reduce and focus issues raised

One of the biggest challenges when rolling out a DevSecOps process is the volume of issues it can bring to light. 


Top 10 DevSecOps Challenges #3: Doing DevSecOps without constant CI/CD changes

Better collaboration between teams, faster time to market, improved overall productivity and enhanced customer satisfaction are just some of the...


Top 10 DevSecOps Challenges #2: Fitting DevSecOps into CI/CD Pipelines

Put simply, the goal of CI/CD pipelines is automation and a key goal of DevSecOps is to alert someone to a problem as early in the automated-delivery...


Top 10 DevSecOps Challenges #1: How to approach DevSecOps security automation

DevSecOps encourages security tasks to be wrapped and enabled with software development and operations tasks. The aim is to make them as seamless as...

Company News

Introducing Uleska: The Future of DevSecOps Automation Tools

Few industries have seen such scrutiny and shifts in recent years as cybersecurity. In an increasingly connected world, speed and agility throughout...