Connect with us

Hi, what are you looking for?

Code Life

Who’s responsible for securing software?

In a world that is embracing DevOps, Infosec is not sure which one should shoulder this responsibility.

A Venify report showed that the number of companies where DevOps is responsible for the security and the number who assign this to their Infosec department is almost evenly split. But should there really be this ambiguity regarding the responsibility of software security?

When you look at the situation on paper, you might say that Information Security should find holes in the apps because they are normally penetration testing the company’s running software anyway. But equally compelling is to claim that because DevOps knows how the software works and is likely one of the few units with access to the codebase, they should be at work making sure hackers cannot exploit the software.

From this perspective, it seems that both of these views are right. DevOps should patch their programs - and make sure there are none of those pesky off-by-one errors - while Infosec has the knowledge necessary to send a running program off the rails.

So for you and me, it seems obvious to us what the roles of those two departments should be.

But what about who takes responsibility when a cyberattack happens?

I’m not really the one posing this question. Executives often assign this taking-in-charge to either DevOps or Infosec, provided that both exist. We don’t see most businesses sharing collective blame after a hack, right? So why don’t they just make one department responsible for protecting the company from breaches?

That would be a poor approach to the problem because merely pentesting the program for vulnerabilities ignores the fact that hackers can try a completely new attack vector to enter the organization. And while DevOps can guard against basic flaws such as null dereference, they don’t have the time that Infosec has to run different tests to catch new vulnerabilities continuously.

I don’t believe that incident response should be a blame game and that all departments which play a part in the application interacting process should take responsibility to protect the software they use at their company and write, not only for their own company but for clients that also use the software in their products as well.

Cover Image by maxxyustas from Envato Elements


Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

You May Also Like


Earlier Bitcoin Wallet used to be a bunch of private keys. In order to use new address, user had to generate new private key...


When you send Bitcoin from your wallet to some other address it needs some time for transaction confirmation in the blockchain.


To use Bitcoin, user generally needs two things: Private Key and Bitcoin Address.


Paper wallets if done right are one of the most secure ways of storing bitcoin especially if done on an air gapped computer.