Security is a becoming hugely important. The higher priority, though, is on the code used to build many company’s products. The intersection of code and Security can be a turf war. Young developers are entering the market with an automatic disposition toward secure code. But, things are going to have to change quicker, and to do that, companies and developers need to meet in the middle in several critical areas. I’ll speak first to the company, then to the developer.
Company, you want your developers to deliver on time, on budget, bug free code. Yes, you pay them a lot, but you work them pretty hard, too. For your developers to buy in, you must first have what my friend Christopher Romeo, CEO of Security Journey calls good Security Behavior, which is a top down manner of behaving that decreases danger, risk and threat. That behavior should be consistent and well defined in each department and it should not be a “process”, but a habit. Currently in the U.S., there are 1.6 Security professionals for every 100 developers. Making your Security team responsible for developers toeing the Security line is a non-starter. Frankly, they might get themselves killed trying to throw weight in the developer room. And whatever you do, don’t get frustrated and unleash Compliance on your developers. Understand that your developers are your first line of defense in Security. Foster the developers that show an interest in Security – monthly training helps. Send them to conferences and reward the financially. Also, while they are implementing new processes, give them a little more time. If you have a DevOps team, this could be good news. Exploring methods and tools in deployment, testing and automation to implement Security practices shows a serious commitment and developers will take notice. Security is a culture shift and culture shifts are hard. But, if a company takes a proactive, positive and educational approach, developers can become a force in Security.
Developers, you’ve probably gotten the impression by now that this Security thing isn’t going away. And, frankly, you’ve been fairly immune. Security certification and accreditations don’t examine web applications and your input has pretty much been assumed to be valid…..and untested. Unless of course you end up sitting in Response one day while your source code is being probed as a possible leak site (you don’t want to be there). It’s a good idea to get ahead of the curve on Security. After all, you know that bolt-on Security after development is a farce. You can’t trust all third party development, and while handy, you probably don’t need to be given the keys to the change control process. My encouragement to you is to embrace leadership toward secure code for some very good reasons. First, if you show yourself to be open to the inevitable tide of Security, you can lead by explaining that your team can’t be expected to manually go through the code. Get on the front end of figuring out the tools and timelines you need. You never know – you might like the whole Security thing. You might think you earn a solid living right now, but I can assure you, it pales in comparison to the upward mobility and earning potential in Cyber Security.
Deeper Security in App Development is here. Companies and developers need to find themselves on the same team. Concessions from both sides can ease the process.