How to Make Your Security Team Your Best Engineering Partner

Security vs. Engineering: Friends or Enemies

Security teams and engineering teams work for the same company, so their priorities should be aligned right? Well…not quite. While each team wants to see their company successful, they might have different visions on the best way to achieve that success.

For example, an application security lead might be focussed on transitioning away from passwords, forcing MFA to all users, enforcing stricter session lengths, or implementing impossible travel detection. While a director of engineering might be focussed on increasing the engineering team’s velocity, enhancing the user experience, scaling the application, or reducing the time-to-market.

These objectives can contradict each other and lead to tension.

What is the Tension?

In the above scenario, each team may have differing opinions on what takes priority. 

From the engineering perspective we might hear things like “The security team is always saying no”, “security slows us down”, or “why so many hoops to jump through?”

From the security perspective  we might hear things like “they ignore our guidelines”, they see us as obstacles”, or “they only call us when there’s a crisis.”

These sentiments can often lead to workplace battles.

5 Top Battles

These are the top 5 battles that we’ve identified between engineering and security teams.

1. Enforcing MFA
   • Engineers: MFA might cause a negative impact on the user experience. This negative experience could lead to decreased product adoption. We should prioritize other roadmap items before assessing the need for MFA.
   • Security: MFA is crucial for ensuring authorized access. Without MGA we are exposed to an attack. Besides, MFA is practically an industry standard. We should get this implemented by the end of the month.
2. Stricter Session Limits
   • Engineers: Frequent session experations is annoying for users and can lead to a bad UX. If users are frequently logged out, especially during critical taks, it could lead to unhappy users. Plus maintaining another level in our database for sessions creates complexity.
   • Security: Shorter sessions reduce the window of opportunity for exploiting stolen session tokens. In many industries, strict session limits are the defacto standard.
3. Password Complexity
   • Engineers: Nobody can remember complex passwords, and reset flows lead to frustrated users. We will be swamped with support tickets, and switching to biometrics will be resource intensive.
   • Security: Weak passwords are easy targets for hackers! Breached databases hold over 12 billion accounts meaning attackers would have access to a huge amount of compromised credentials. Switching to biometric authentication will reduce this risk.
4. Using Open Source Libraries
   • Engineers: Open source libraries help us speed up development!
   • Security: Open source may have hidden risks!
5. The Admin Access Arm Wrestle
   • Engineers: We need admin access to troubleshoot issues, and our current restricted permissions slow down our workflow.
   • Security: Providing engineers with full admin access elevates security risks.

How do we find common ground to bridge the conflict discussed above?

How to Find Common Ground

In order to find common ground between security and engineering teams we need to focus on technical solutions and behavioral solutions. 

From a technical perspective:

Team’s should always exercise the principle of least privilege. This means access rights are minimized to reduce risk exposure. Organizations should also embrace passkeys to reduce the risk of breached passwords. Lastly, security should be integrated directly into the CI/CD pipeline to automate testing and create collaboration opportunities. 

From a behavioral perspective:

Engineers should make sure security is involved during the planning process. By including security, engineering teams can increase communication and better security’s goals. Lastly it’s important to unite with common objectives and KPIs to make sure that the two teams are being measured efficiently.  

By recognizing the common frictions between security and engineering and taking measures to reduce said friction, the two teams can work together more efficiently.