Building trust: The path to true security synergy between AppSec and developers
A version of this article appeared in Cyber Defense Magazine. It has been updated and syndicated here.
A relationship that is built on the shaky foundations of mistrust is, well, best approached with low expectations. Sadly, this can be the state of the working relationship between developers and the AppSec team within an organization. Generally frosty and marred by a tendency to get in each other’s way, the situation is not ideal and leads to poor outcomes in a world of high-risk dependencies on technology.
Developers thrive on problem-solving, building features, and showing creativity in their work. AppSec, on the other hand, has the unenviable task of finding security bugs in their code, bouncing it back for fixes, and providing audits and reports that spoil the shine on the engineer’s pet projects. It’s not fair to put the blame solely on developers -- security is not their priority or part of their KPIs -- nor can the overworked AppSec team be penalized for simply doing their job. However, for cybersecurity best practices, and better security outcomes at the organizational level, they really need to start playing nice.
And it all starts with trust.
AppSec’s “bad guy” image stands in the way of DevSecOps harmony.
If your only interactions with someone come when they are pointing out where you’ve gone wrong, chances are good that their input won’t be looked upon favorably.
Rarely seen unless there is a problem, the negative connotations of the security team’s presence tend to cause some friction. The relationship has been fractured for quite some time, with developers seeing the AppSec team as blockers to their creativity, process, and punctual shipping of features, while AppSec grows very weary of continually pointing out common security bugs that have existed (as has their remedy) for decades.
With increasingly impossible deadlines, under-resourced teams, and a strong desire to avoid rework, developers would often wait until the last possible moment to ship their code, making the window of opportunity for AppSec review and intervention as small as possible. A dysfunctional process, and it has an unacceptable impact of increasing cybersecurity risk to the organization.
For security specialists, it’s a case of “don’t shoot the messenger” - after all, their job is to find bugs and report them so they can be remediated - nothing personal. The sticking point is that they can often make recommendations that are not the best fit for the company’s technology stack, so can be seen as largely unhelpful in the bigger picture of in-house software development.
The notion of AppSec as the villain is counterintuitive for most development methodologies, but for DevSecOps, it’s a disaster. The gold standard has moved well beyond Waterfall, Agile, and even DevOps, into a process that sees security as a shared responsibility from the very beginning of the SDLC as vital.
For DevSecOps to work, software engineers need to be given a reason to care about security, and that comes from understanding why it’s so important for them to do their part in securing the world’s software. Security specialists who make the effort to extend the olive branch, work with development managers to meet the team’s needs, and take on more of a mentoring role in nurturing security awareness tend to see long-term benefits from their efforts… and they spend slightly less time tearing their hair out over yet another XSS error.
Developers need to be enabled to deliver better secure coding outcomes.
When it comes to learning secure coding during tertiary education, for many engineers, it’s non-existent. And it’s not because they were all busy playing beer pong and WoW - it’s simply not part of most computer science and IT degrees.
To that end, on-the-job training is often the first exposure a developer will get to the art of software security, and it rarely sets their world on fire. Hours of boring videos are a common training method, as are “tick-the-box” compliance exercises that are far too infrequent to have any real impact on teaching developers how to code securely, or make any headway in reducing common vulnerabilities in an organization’s software.
Both the AppSec team and the development cohort are crazy-busy, so any training should be meaningful, engaging, and hands-on. Speaking from a development background, we love to solve problems and get on the tools, so most static training just passes us by while we concentrate on something more pressing (or, let’s be honest, interesting).
AppSec specialists are in a place of influence, and they can forge a long-term, win-win situation by advocating for developers’ best interests. Seeking out viable training that is job-relevant, and delivered in their preferred languages and frameworks, is a huge step towards shifting the needle and inspiring a grassroots, positive security culture within an organization. We have tried the same thing for decades, and clearly, the “one size fits all” training approach doesn’t work. By helping to deliver the right tools and knowledge to developers, they can successfully upskill in secure coding, act with a heightened sense of security awareness, and produce a higher standard of code.
Efforts to get on the same page must come from both sides.
It’s easy for people with different goals to misunderstand each other, or, at worst, become somewhat distrustful. AppSec has the goal of keeping up with the onslaught of code being churned out, and finding any security issues that may lead to data being compromised, unauthorized access, and malicious attacks that have the potential to destroy positive customer sentiment for years.
Developers, among other things, build features to deadline. They are tasked with making software functional and beautiful, and being the creators of unique digital experiences that keep customers loyal. They’ve already got a lot to juggle, and pitching them a curveball in the shape of responsibility for security is a daunting prospect. It’s seen as AppSec’s problem to secure the code, and while that was somewhat achievable in the 90s (you know, before our cars could be hacked, and our entire lives could be carried around in a pocket supercomputer called a smartphone) there is simply too much code and not enough people to run it through the security gauntlet.
With a healthy dose of empathy, plus the enablement to make security a priority from the very beginning of the software creation process, AppSec and developers can see ways to align their goals. After all, a positive security culture depends on it, and security-aware developers are the secret ingredient to stopping common vulnerabilities, even with an ever-widening cybersecurity skills shortage.
Mutual respect for time has immense benefits.
Like I said before, everyone is super-busy when it comes to making magic (a.k.a. amazing software) happen. Developers will need allocated work time to do viable, hands-on training that builds their secure coding skills, and any training program should be hyper-relevant by design.
AppSec has their time wasted by fixing the same OWASP Top 10 vulnerabilities over and over again, and developers have theirs whittled away with low-engagement exercises that reinforce the idea in their minds that security is a chore.
Curated learning experiences are vital, and they help to cut to the chase through contextual, bite-sized delivery of relevant training, right at the moment it is needed.
By curating a custom secure coding course that is tailored to desired outcomes and in-house learning pathways, the developer’s time and workflow is being respected, while at the same time working towards a measurable reduction of vulnerabilities and cybersecurity risks for the business. It is a quick win in the quest to end soft rivalries, and move forward into the cybersecurity wild west as a united front.
Secure Code Warrior’s latest contextual learning feature, Courses, is available now.
A relationship that is built on the shaky foundations of mistrust is, well, best approached with low expectations. Sadly, this can be the state of the working relationship between developers and the AppSec team within an organization.
Matias Madou, Ph.D. is a security expert, researcher, and CTO and co-founder of Secure Code Warrior. Matias obtained his Ph.D. in Application Security from Ghent University, focusing on static analysis solutions. He later joined Fortify in the US, where he realized that it was insufficient to solely detect code problems without aiding developers in writing secure code. This inspired him to develop products that assist developers, alleviate the burden of security, and exceed customers' expectations. When he is not at his desk as part of Team Awesome, he enjoys being on stage presenting at conferences including RSA Conference, BlackHat and DefCon.
Secure Code Warrior is here for your organization to help you secure code across the entire software development lifecycle and create a culture in which cybersecurity is top of mind. Whether you’re an AppSec Manager, Developer, CISO, or anyone involved in security, we can help your organization reduce risks associated with insecure code.
Book a demoMatias Madou, Ph.D. is a security expert, researcher, and CTO and co-founder of Secure Code Warrior. Matias obtained his Ph.D. in Application Security from Ghent University, focusing on static analysis solutions. He later joined Fortify in the US, where he realized that it was insufficient to solely detect code problems without aiding developers in writing secure code. This inspired him to develop products that assist developers, alleviate the burden of security, and exceed customers' expectations. When he is not at his desk as part of Team Awesome, he enjoys being on stage presenting at conferences including RSA Conference, BlackHat and DefCon.
Matias is a researcher and developer with more than 15 years of hands-on software security experience. He has developed solutions for companies such as Fortify Software and his own company Sensei Security. Over his career, Matias has led multiple application security research projects which have led to commercial products and boasts over 10 patents under his belt. When he is away from his desk, Matias has served as an instructor for advanced application security training courses and regularly speaks at global conferences including RSA Conference, Black Hat, DefCon, BSIMM, OWASP AppSec and BruCon.
Matias holds a Ph.D. in Computer Engineering from Ghent University, where he studied application security through program obfuscation to hide the inner workings of an application.
A version of this article appeared in Cyber Defense Magazine. It has been updated and syndicated here.
A relationship that is built on the shaky foundations of mistrust is, well, best approached with low expectations. Sadly, this can be the state of the working relationship between developers and the AppSec team within an organization. Generally frosty and marred by a tendency to get in each other’s way, the situation is not ideal and leads to poor outcomes in a world of high-risk dependencies on technology.
Developers thrive on problem-solving, building features, and showing creativity in their work. AppSec, on the other hand, has the unenviable task of finding security bugs in their code, bouncing it back for fixes, and providing audits and reports that spoil the shine on the engineer’s pet projects. It’s not fair to put the blame solely on developers -- security is not their priority or part of their KPIs -- nor can the overworked AppSec team be penalized for simply doing their job. However, for cybersecurity best practices, and better security outcomes at the organizational level, they really need to start playing nice.
And it all starts with trust.
AppSec’s “bad guy” image stands in the way of DevSecOps harmony.
If your only interactions with someone come when they are pointing out where you’ve gone wrong, chances are good that their input won’t be looked upon favorably.
Rarely seen unless there is a problem, the negative connotations of the security team’s presence tend to cause some friction. The relationship has been fractured for quite some time, with developers seeing the AppSec team as blockers to their creativity, process, and punctual shipping of features, while AppSec grows very weary of continually pointing out common security bugs that have existed (as has their remedy) for decades.
With increasingly impossible deadlines, under-resourced teams, and a strong desire to avoid rework, developers would often wait until the last possible moment to ship their code, making the window of opportunity for AppSec review and intervention as small as possible. A dysfunctional process, and it has an unacceptable impact of increasing cybersecurity risk to the organization.
For security specialists, it’s a case of “don’t shoot the messenger” - after all, their job is to find bugs and report them so they can be remediated - nothing personal. The sticking point is that they can often make recommendations that are not the best fit for the company’s technology stack, so can be seen as largely unhelpful in the bigger picture of in-house software development.
The notion of AppSec as the villain is counterintuitive for most development methodologies, but for DevSecOps, it’s a disaster. The gold standard has moved well beyond Waterfall, Agile, and even DevOps, into a process that sees security as a shared responsibility from the very beginning of the SDLC as vital.
For DevSecOps to work, software engineers need to be given a reason to care about security, and that comes from understanding why it’s so important for them to do their part in securing the world’s software. Security specialists who make the effort to extend the olive branch, work with development managers to meet the team’s needs, and take on more of a mentoring role in nurturing security awareness tend to see long-term benefits from their efforts… and they spend slightly less time tearing their hair out over yet another XSS error.
Developers need to be enabled to deliver better secure coding outcomes.
When it comes to learning secure coding during tertiary education, for many engineers, it’s non-existent. And it’s not because they were all busy playing beer pong and WoW - it’s simply not part of most computer science and IT degrees.
To that end, on-the-job training is often the first exposure a developer will get to the art of software security, and it rarely sets their world on fire. Hours of boring videos are a common training method, as are “tick-the-box” compliance exercises that are far too infrequent to have any real impact on teaching developers how to code securely, or make any headway in reducing common vulnerabilities in an organization’s software.
Both the AppSec team and the development cohort are crazy-busy, so any training should be meaningful, engaging, and hands-on. Speaking from a development background, we love to solve problems and get on the tools, so most static training just passes us by while we concentrate on something more pressing (or, let’s be honest, interesting).
AppSec specialists are in a place of influence, and they can forge a long-term, win-win situation by advocating for developers’ best interests. Seeking out viable training that is job-relevant, and delivered in their preferred languages and frameworks, is a huge step towards shifting the needle and inspiring a grassroots, positive security culture within an organization. We have tried the same thing for decades, and clearly, the “one size fits all” training approach doesn’t work. By helping to deliver the right tools and knowledge to developers, they can successfully upskill in secure coding, act with a heightened sense of security awareness, and produce a higher standard of code.
Efforts to get on the same page must come from both sides.
It’s easy for people with different goals to misunderstand each other, or, at worst, become somewhat distrustful. AppSec has the goal of keeping up with the onslaught of code being churned out, and finding any security issues that may lead to data being compromised, unauthorized access, and malicious attacks that have the potential to destroy positive customer sentiment for years.
Developers, among other things, build features to deadline. They are tasked with making software functional and beautiful, and being the creators of unique digital experiences that keep customers loyal. They’ve already got a lot to juggle, and pitching them a curveball in the shape of responsibility for security is a daunting prospect. It’s seen as AppSec’s problem to secure the code, and while that was somewhat achievable in the 90s (you know, before our cars could be hacked, and our entire lives could be carried around in a pocket supercomputer called a smartphone) there is simply too much code and not enough people to run it through the security gauntlet.
With a healthy dose of empathy, plus the enablement to make security a priority from the very beginning of the software creation process, AppSec and developers can see ways to align their goals. After all, a positive security culture depends on it, and security-aware developers are the secret ingredient to stopping common vulnerabilities, even with an ever-widening cybersecurity skills shortage.
Mutual respect for time has immense benefits.
Like I said before, everyone is super-busy when it comes to making magic (a.k.a. amazing software) happen. Developers will need allocated work time to do viable, hands-on training that builds their secure coding skills, and any training program should be hyper-relevant by design.
AppSec has their time wasted by fixing the same OWASP Top 10 vulnerabilities over and over again, and developers have theirs whittled away with low-engagement exercises that reinforce the idea in their minds that security is a chore.
Curated learning experiences are vital, and they help to cut to the chase through contextual, bite-sized delivery of relevant training, right at the moment it is needed.
By curating a custom secure coding course that is tailored to desired outcomes and in-house learning pathways, the developer’s time and workflow is being respected, while at the same time working towards a measurable reduction of vulnerabilities and cybersecurity risks for the business. It is a quick win in the quest to end soft rivalries, and move forward into the cybersecurity wild west as a united front.
Secure Code Warrior’s latest contextual learning feature, Courses, is available now.
A version of this article appeared in Cyber Defense Magazine. It has been updated and syndicated here.
A relationship that is built on the shaky foundations of mistrust is, well, best approached with low expectations. Sadly, this can be the state of the working relationship between developers and the AppSec team within an organization. Generally frosty and marred by a tendency to get in each other’s way, the situation is not ideal and leads to poor outcomes in a world of high-risk dependencies on technology.
Developers thrive on problem-solving, building features, and showing creativity in their work. AppSec, on the other hand, has the unenviable task of finding security bugs in their code, bouncing it back for fixes, and providing audits and reports that spoil the shine on the engineer’s pet projects. It’s not fair to put the blame solely on developers -- security is not their priority or part of their KPIs -- nor can the overworked AppSec team be penalized for simply doing their job. However, for cybersecurity best practices, and better security outcomes at the organizational level, they really need to start playing nice.
And it all starts with trust.
AppSec’s “bad guy” image stands in the way of DevSecOps harmony.
If your only interactions with someone come when they are pointing out where you’ve gone wrong, chances are good that their input won’t be looked upon favorably.
Rarely seen unless there is a problem, the negative connotations of the security team’s presence tend to cause some friction. The relationship has been fractured for quite some time, with developers seeing the AppSec team as blockers to their creativity, process, and punctual shipping of features, while AppSec grows very weary of continually pointing out common security bugs that have existed (as has their remedy) for decades.
With increasingly impossible deadlines, under-resourced teams, and a strong desire to avoid rework, developers would often wait until the last possible moment to ship their code, making the window of opportunity for AppSec review and intervention as small as possible. A dysfunctional process, and it has an unacceptable impact of increasing cybersecurity risk to the organization.
For security specialists, it’s a case of “don’t shoot the messenger” - after all, their job is to find bugs and report them so they can be remediated - nothing personal. The sticking point is that they can often make recommendations that are not the best fit for the company’s technology stack, so can be seen as largely unhelpful in the bigger picture of in-house software development.
The notion of AppSec as the villain is counterintuitive for most development methodologies, but for DevSecOps, it’s a disaster. The gold standard has moved well beyond Waterfall, Agile, and even DevOps, into a process that sees security as a shared responsibility from the very beginning of the SDLC as vital.
For DevSecOps to work, software engineers need to be given a reason to care about security, and that comes from understanding why it’s so important for them to do their part in securing the world’s software. Security specialists who make the effort to extend the olive branch, work with development managers to meet the team’s needs, and take on more of a mentoring role in nurturing security awareness tend to see long-term benefits from their efforts… and they spend slightly less time tearing their hair out over yet another XSS error.
Developers need to be enabled to deliver better secure coding outcomes.
When it comes to learning secure coding during tertiary education, for many engineers, it’s non-existent. And it’s not because they were all busy playing beer pong and WoW - it’s simply not part of most computer science and IT degrees.
To that end, on-the-job training is often the first exposure a developer will get to the art of software security, and it rarely sets their world on fire. Hours of boring videos are a common training method, as are “tick-the-box” compliance exercises that are far too infrequent to have any real impact on teaching developers how to code securely, or make any headway in reducing common vulnerabilities in an organization’s software.
Both the AppSec team and the development cohort are crazy-busy, so any training should be meaningful, engaging, and hands-on. Speaking from a development background, we love to solve problems and get on the tools, so most static training just passes us by while we concentrate on something more pressing (or, let’s be honest, interesting).
AppSec specialists are in a place of influence, and they can forge a long-term, win-win situation by advocating for developers’ best interests. Seeking out viable training that is job-relevant, and delivered in their preferred languages and frameworks, is a huge step towards shifting the needle and inspiring a grassroots, positive security culture within an organization. We have tried the same thing for decades, and clearly, the “one size fits all” training approach doesn’t work. By helping to deliver the right tools and knowledge to developers, they can successfully upskill in secure coding, act with a heightened sense of security awareness, and produce a higher standard of code.
Efforts to get on the same page must come from both sides.
It’s easy for people with different goals to misunderstand each other, or, at worst, become somewhat distrustful. AppSec has the goal of keeping up with the onslaught of code being churned out, and finding any security issues that may lead to data being compromised, unauthorized access, and malicious attacks that have the potential to destroy positive customer sentiment for years.
Developers, among other things, build features to deadline. They are tasked with making software functional and beautiful, and being the creators of unique digital experiences that keep customers loyal. They’ve already got a lot to juggle, and pitching them a curveball in the shape of responsibility for security is a daunting prospect. It’s seen as AppSec’s problem to secure the code, and while that was somewhat achievable in the 90s (you know, before our cars could be hacked, and our entire lives could be carried around in a pocket supercomputer called a smartphone) there is simply too much code and not enough people to run it through the security gauntlet.
With a healthy dose of empathy, plus the enablement to make security a priority from the very beginning of the software creation process, AppSec and developers can see ways to align their goals. After all, a positive security culture depends on it, and security-aware developers are the secret ingredient to stopping common vulnerabilities, even with an ever-widening cybersecurity skills shortage.
Mutual respect for time has immense benefits.
Like I said before, everyone is super-busy when it comes to making magic (a.k.a. amazing software) happen. Developers will need allocated work time to do viable, hands-on training that builds their secure coding skills, and any training program should be hyper-relevant by design.
AppSec has their time wasted by fixing the same OWASP Top 10 vulnerabilities over and over again, and developers have theirs whittled away with low-engagement exercises that reinforce the idea in their minds that security is a chore.
Curated learning experiences are vital, and they help to cut to the chase through contextual, bite-sized delivery of relevant training, right at the moment it is needed.
By curating a custom secure coding course that is tailored to desired outcomes and in-house learning pathways, the developer’s time and workflow is being respected, while at the same time working towards a measurable reduction of vulnerabilities and cybersecurity risks for the business. It is a quick win in the quest to end soft rivalries, and move forward into the cybersecurity wild west as a united front.
Secure Code Warrior’s latest contextual learning feature, Courses, is available now.
Click on the link below and download the PDF of this resource.
Secure Code Warrior is here for your organization to help you secure code across the entire software development lifecycle and create a culture in which cybersecurity is top of mind. Whether you’re an AppSec Manager, Developer, CISO, or anyone involved in security, we can help your organization reduce risks associated with insecure code.
View reportBook a demoMatias Madou, Ph.D. is a security expert, researcher, and CTO and co-founder of Secure Code Warrior. Matias obtained his Ph.D. in Application Security from Ghent University, focusing on static analysis solutions. He later joined Fortify in the US, where he realized that it was insufficient to solely detect code problems without aiding developers in writing secure code. This inspired him to develop products that assist developers, alleviate the burden of security, and exceed customers' expectations. When he is not at his desk as part of Team Awesome, he enjoys being on stage presenting at conferences including RSA Conference, BlackHat and DefCon.
Matias is a researcher and developer with more than 15 years of hands-on software security experience. He has developed solutions for companies such as Fortify Software and his own company Sensei Security. Over his career, Matias has led multiple application security research projects which have led to commercial products and boasts over 10 patents under his belt. When he is away from his desk, Matias has served as an instructor for advanced application security training courses and regularly speaks at global conferences including RSA Conference, Black Hat, DefCon, BSIMM, OWASP AppSec and BruCon.
Matias holds a Ph.D. in Computer Engineering from Ghent University, where he studied application security through program obfuscation to hide the inner workings of an application.
A version of this article appeared in Cyber Defense Magazine. It has been updated and syndicated here.
A relationship that is built on the shaky foundations of mistrust is, well, best approached with low expectations. Sadly, this can be the state of the working relationship between developers and the AppSec team within an organization. Generally frosty and marred by a tendency to get in each other’s way, the situation is not ideal and leads to poor outcomes in a world of high-risk dependencies on technology.
Developers thrive on problem-solving, building features, and showing creativity in their work. AppSec, on the other hand, has the unenviable task of finding security bugs in their code, bouncing it back for fixes, and providing audits and reports that spoil the shine on the engineer’s pet projects. It’s not fair to put the blame solely on developers -- security is not their priority or part of their KPIs -- nor can the overworked AppSec team be penalized for simply doing their job. However, for cybersecurity best practices, and better security outcomes at the organizational level, they really need to start playing nice.
And it all starts with trust.
AppSec’s “bad guy” image stands in the way of DevSecOps harmony.
If your only interactions with someone come when they are pointing out where you’ve gone wrong, chances are good that their input won’t be looked upon favorably.
Rarely seen unless there is a problem, the negative connotations of the security team’s presence tend to cause some friction. The relationship has been fractured for quite some time, with developers seeing the AppSec team as blockers to their creativity, process, and punctual shipping of features, while AppSec grows very weary of continually pointing out common security bugs that have existed (as has their remedy) for decades.
With increasingly impossible deadlines, under-resourced teams, and a strong desire to avoid rework, developers would often wait until the last possible moment to ship their code, making the window of opportunity for AppSec review and intervention as small as possible. A dysfunctional process, and it has an unacceptable impact of increasing cybersecurity risk to the organization.
For security specialists, it’s a case of “don’t shoot the messenger” - after all, their job is to find bugs and report them so they can be remediated - nothing personal. The sticking point is that they can often make recommendations that are not the best fit for the company’s technology stack, so can be seen as largely unhelpful in the bigger picture of in-house software development.
The notion of AppSec as the villain is counterintuitive for most development methodologies, but for DevSecOps, it’s a disaster. The gold standard has moved well beyond Waterfall, Agile, and even DevOps, into a process that sees security as a shared responsibility from the very beginning of the SDLC as vital.
For DevSecOps to work, software engineers need to be given a reason to care about security, and that comes from understanding why it’s so important for them to do their part in securing the world’s software. Security specialists who make the effort to extend the olive branch, work with development managers to meet the team’s needs, and take on more of a mentoring role in nurturing security awareness tend to see long-term benefits from their efforts… and they spend slightly less time tearing their hair out over yet another XSS error.
Developers need to be enabled to deliver better secure coding outcomes.
When it comes to learning secure coding during tertiary education, for many engineers, it’s non-existent. And it’s not because they were all busy playing beer pong and WoW - it’s simply not part of most computer science and IT degrees.
To that end, on-the-job training is often the first exposure a developer will get to the art of software security, and it rarely sets their world on fire. Hours of boring videos are a common training method, as are “tick-the-box” compliance exercises that are far too infrequent to have any real impact on teaching developers how to code securely, or make any headway in reducing common vulnerabilities in an organization’s software.
Both the AppSec team and the development cohort are crazy-busy, so any training should be meaningful, engaging, and hands-on. Speaking from a development background, we love to solve problems and get on the tools, so most static training just passes us by while we concentrate on something more pressing (or, let’s be honest, interesting).
AppSec specialists are in a place of influence, and they can forge a long-term, win-win situation by advocating for developers’ best interests. Seeking out viable training that is job-relevant, and delivered in their preferred languages and frameworks, is a huge step towards shifting the needle and inspiring a grassroots, positive security culture within an organization. We have tried the same thing for decades, and clearly, the “one size fits all” training approach doesn’t work. By helping to deliver the right tools and knowledge to developers, they can successfully upskill in secure coding, act with a heightened sense of security awareness, and produce a higher standard of code.
Efforts to get on the same page must come from both sides.
It’s easy for people with different goals to misunderstand each other, or, at worst, become somewhat distrustful. AppSec has the goal of keeping up with the onslaught of code being churned out, and finding any security issues that may lead to data being compromised, unauthorized access, and malicious attacks that have the potential to destroy positive customer sentiment for years.
Developers, among other things, build features to deadline. They are tasked with making software functional and beautiful, and being the creators of unique digital experiences that keep customers loyal. They’ve already got a lot to juggle, and pitching them a curveball in the shape of responsibility for security is a daunting prospect. It’s seen as AppSec’s problem to secure the code, and while that was somewhat achievable in the 90s (you know, before our cars could be hacked, and our entire lives could be carried around in a pocket supercomputer called a smartphone) there is simply too much code and not enough people to run it through the security gauntlet.
With a healthy dose of empathy, plus the enablement to make security a priority from the very beginning of the software creation process, AppSec and developers can see ways to align their goals. After all, a positive security culture depends on it, and security-aware developers are the secret ingredient to stopping common vulnerabilities, even with an ever-widening cybersecurity skills shortage.
Mutual respect for time has immense benefits.
Like I said before, everyone is super-busy when it comes to making magic (a.k.a. amazing software) happen. Developers will need allocated work time to do viable, hands-on training that builds their secure coding skills, and any training program should be hyper-relevant by design.
AppSec has their time wasted by fixing the same OWASP Top 10 vulnerabilities over and over again, and developers have theirs whittled away with low-engagement exercises that reinforce the idea in their minds that security is a chore.
Curated learning experiences are vital, and they help to cut to the chase through contextual, bite-sized delivery of relevant training, right at the moment it is needed.
By curating a custom secure coding course that is tailored to desired outcomes and in-house learning pathways, the developer’s time and workflow is being respected, while at the same time working towards a measurable reduction of vulnerabilities and cybersecurity risks for the business. It is a quick win in the quest to end soft rivalries, and move forward into the cybersecurity wild west as a united front.
Secure Code Warrior’s latest contextual learning feature, Courses, is available now.
Table of contents
Matias Madou, Ph.D. is a security expert, researcher, and CTO and co-founder of Secure Code Warrior. Matias obtained his Ph.D. in Application Security from Ghent University, focusing on static analysis solutions. He later joined Fortify in the US, where he realized that it was insufficient to solely detect code problems without aiding developers in writing secure code. This inspired him to develop products that assist developers, alleviate the burden of security, and exceed customers' expectations. When he is not at his desk as part of Team Awesome, he enjoys being on stage presenting at conferences including RSA Conference, BlackHat and DefCon.
Secure Code Warrior is here for your organization to help you secure code across the entire software development lifecycle and create a culture in which cybersecurity is top of mind. Whether you’re an AppSec Manager, Developer, CISO, or anyone involved in security, we can help your organization reduce risks associated with insecure code.
Book a demoDownloadResources to get you started
Benchmarking Security Skills: Streamlining Secure-by-Design in the Enterprise
The Secure-by-Design movement is the future of secure software development. Learn about the key elements companies need to keep in mind when they think about a Secure-by-Design initiative.
DigitalOcean Decreases Security Debt with Secure Code Warrior
DigitalOcean's use of Secure Code Warrior training has significantly reduced security debt, allowing teams to focus more on innovation and productivity. The improved security has strengthened their product quality and competitive edge. Looking ahead, the SCW Trust Score will help them further enhance security practices and continue driving innovation.
Resources to get you started
Trust Score Reveals the Value of Secure-by-Design Upskilling Initiatives
Our research has shown that secure code training works. Trust Score, using an algorithm drawing on more than 20 million learning data points from work by more than 250,000 learners at over 600 organizations, reveals its effectiveness in driving down vulnerabilities and how to make the initiative even more effective.
Reactive Versus Preventive Security: Prevention Is a Better Cure
The idea of bringing preventive security to legacy code and systems at the same time as newer applications can seem daunting, but a Secure-by-Design approach, enforced by upskilling developers, can apply security best practices to those systems. It’s the best chance many organizations have of improving their security postures.
The Benefits of Benchmarking Security Skills for Developers
The growing focus on secure code and Secure-by-Design principles requires developers to be trained in cybersecurity from the start of the SDLC, with tools like Secure Code Warrior’s Trust Score helping measure and improve their progress.
Driving Meaningful Success for Enterprise Secure-by-Design Initiatives
Our latest research paper, Benchmarking Security Skills: Streamlining Secure-by-Design in the Enterprise is the result of deep analysis of real Secure-by-Design initiatives at the enterprise level, and deriving best practice approaches based on data-driven findings.