Ensuring your developers love - or at least don't hate - security
Maty Siman, founder & CTO, Checkmarx
When it comes to an organization's software security, there's been a chronic disconnect between the developers who write and build the code and the security teams who audit and enforce the code's security. This divide historically arose from common misunderstandings: programmers believe that security hinders their productivity, while security folks are frustrated that security is not at their top-of-mind.
The relationship between development and security doesn't need to be hostile, and there are ways to engage developers more with security. As Bruce Schneier says, “Security is a process,” and your development team is an integral part of that process. And, while change is hard to come by, it is possible.
How can you get developers on board with you? There are a number of simple areas to focus on to ensure your developers start loving (or at least don't hate) security.
Start with the understanding that it is essential to get top management involved to ensure that security is perceived as important. By aligning security with business objectives and with the vocal support from your organization's CEO or CIO to make it clear that security is just as high a priority as great features and non-buggy interfaces, the rest of the company is much more likely to fall in line. The key to getting the support of management is to approach them with the business value: Secure coding practices prevents underlying causes of the majority of security incidents, ensures compliancy with common standards and is part of the business-customer trust relationship.
With that high-level organizational shift you will be better armed to get your developers to care more about security and you can start to put in place internal structures that will encourage them to do so. Give your development team leaders an opportunity to share their challenges and successes with your security team by hosting discussion roundtables. That way, you can build camaraderie among the two groups as well as allowing team leaders to align their expectations for security implementations with each other. Allow them to cross-examine coding bugs and security flaws, mapping them back to the source in the way your developers are already comfortable with.
Once you've established a relationship with the developers and their managers, they will begin to see you in a less oppositional light. Create an online cross-team collaboration platform where developers and the security team are free to ask security-related questions, with dedicated members of the security team answering.
Developers are going to be wary of the security team butting in on code, no matter the security issues, so it's important to come at them in the correct way. Starting conversations around the latest vulnerabilities, security issues and secure development tips will give you an "in" to the developer's world. Arming them with knowledge of the latest attack vectors will go a long way in convincing them that secure coding does matter. So make sure to build and maintain credibility with the development team by offering information on recent security incidents and real-world attack walk-throughs. Learning how major breaches stemmed from vulnerable code will help them understand insecure code's impact and work toward remediating the issue.