Software security awareness has to start from the bottom up
Jeremiah Grossman wrote an excellent post on Infrastructure vs Application security spending last Friday that got me thinking the whole weekend. Jeremiah was trying to make a point that software companies are over-spending on infrastructure and under-spending on application security and more spending\attention should go towards the application security vs infrastructure security.
I kept thinking in the weekend what would be the first obstacle towards companies realizing the importance of software security and it threw me back to Erik Klien’s comment last week where I was trying to give software companies more reasons to implement an application security program. Erik made the point that software companies don’t see a need.
And they will continue to do so as long as developers are not fully engaged in the problem. I am not saying that developers are the problem at all, I am just saying that the key to the puzzle lies in the developers’ hands, not the execs, not the CIOs and not the managers.
CIOs are not the right approach because a place that needs a CIO is a place already aware of the problem and you don’t really need to do much there, this is not where I see most bang for the buck.
Executives are not the right approach either because they only talk ROI, stock value and dollars and application security was not proven yet to speak this language. Application security lies in the neighborhood of insurance but not ROI.
I think that developers are the right approach to the problem, developers love doing the right thing, they take a lot of pride in what they do and hate others pointing out mistakes in their code, application security provides all that.
Software developers are the most well-positioned parties to see the problem because they are the most ones familiar with the code and know the code upside down.
Unless we get developers to talk to developers about security, I think 5 years from now, the level of spending on application security will be the same as it is today. More awareness in the developers communities is the way to go, developers will start understanding that little changes in their code can make a lot of difference security-wise. And I like to believe that security awareness is contagious, so many team while organizing OWASP’s Ottawa Chapter meetings, I see the impact and revelation-like impact on software developers when they understand how attacks happen and how attacker go to great length to find ways to exploit code.
From your experience what do you the right approach towards security awareness is?
The issue with this, is the majority of the time it isn’t the developers or the architects that are driving the time line. It’s managements desire for time to market over quality.
Agreed. However, tomorrow’s management is today’s developers. Also, if the developers started talking the security language, I don’t think management can ignore it for long.
We are finally seeing the concept of the mentor / protege pay off after extensive marketing efforts to Sr. Developers. We offer an ANSI accredited on-line course which covers the principles of secure coding practices. It is not a hard-core training course, but an awareness course focused at anyone who is involved in the SDLC process – from the Procurement Officer to the hands-on coder.
We tried every avenue we could think of i.e. the Compliance Officer, the Security Officer, H/R, Training Managers, CIO’s everything…..then we realized just as you did – awareness must start at the Developer level and work its way up.
Once we realized this and properly addressed the need for the Sr. Developer to ensure that everyone who has a stake in the SDLC, and especially the more junior programmers / developers have an awareness of the basics – we have seen a couple hundred percent increase in people taking our training and getting certified.
I completely agree that Software Developers need to be onboard. It is the developers that must understand security and be onboard right from the first lines of code. Security must be built in, it can’t be “sold” after the fact.
@Mark Agree with you, I think there will always be a need for some aiding tools for assurance for the most part but it wouldn’t be a substitute for the built-in security.
I completely agree that Software Developers need to be onboard. It is the developers that must understand security and be onboard right from the first lines of code. Security must be built in, it can’t be “sold” after the fact.