How Thales implemented developer-driven security

Background

Thales Group is a French multinational company that designs, develops, and manufactures electrical systems, as well as devices and equipment for the aerospace, defense, transportation, and security sectors. Viswanath S. Chirravuri, is the Software Security Technical Director at Thales. Viswanath, or Vis, started his career in security initially as a programmer. He is now a senior security leader at Thales, with more than 18 years of experience in the security industry, and holds more than 30 certifications, including CISSP, PMP, and GSE. He has educated over 3,000 software professionals in more than 18 countries. In addition, Vis won more than 10 SANS challenge coins in international cybersecurity tournaments (such as Netwars) and is an active member of the GIAC Advisory Board. We spoke with Vis to learn how he aligned people, processes, and technology to develop a successful secure code-learning program at Thales.

Situation

When Vis started at Thales, he coached business units to look at the source of vulnerabilities discovered via pen-testing as a possible solution to decrease the backlog of tech debt. The application security team used 7 different vendors they were working with to solidify their security posture - from IAST/ DAST tools to pen-testing tools. Vis wanted to understand the market trends and manage threats in a scalable manner to develop mitigation strategies through a strong integration between process and technology. This meant shifting from a purely tools-based approach to a strategy that had a strong learning component. He noticed that many of the developers didn’t have a security background or security skills. His initial approach was to provide classroom-based training for developers on topics like the OWASP Top 10, but he realized quickly that this was not going to scale with all the travel required to teach in person and the need to reach thousands of developers across the globe. Vis noted that:

“There is always going to be an imbalance in the ratio between security and development. Even if I had a 1:1 ratio of security to developers, I couldn’t keep them engaged all the time. Keeping our developers up to date on new attack vectors, best practices, new languages, and newly discovered vulnerabilities meant we needed to be able to promote self-learning by developers and have them be able to go at their own pace. If they need help, I could help them, but I realized that I couldn’t be the guy teaching them how to fix every vulnerability they find.”

Initially - there was pushback from development managers about the time investment developers would need to spend on secure code learning, recognizing that so many developers were starting from the ground up. Vis needed to manage the perception that a commitment to secure code learning might disrupt software release cycles or slow mission-critical sprints. He needed to find a way to properly motivate the organization to spend time on agile learning for secure code. Vis took a people-first attitude to address vulnerabilities at the source, “People often say that security is taking away time from development. For me, if you develop something and it’s insecure, it was a waste of time to begin with. You should always develop software to be secure and save yourself the time of having to fix the vulnerabilities that could have easily been avoided. We should all have the common goal of shipping reliable code.”

Action

Vis had two primary goals in mind: securing their software and raising security awareness in Thales’ developer teams. It was critical to implement a program that allowed developers to be independent and train at their own pace. Vis' strategy was to build a security community over time, working to link secure coding with corporate policies and developing a mandate for secure code learning in the organization. By encouraging a culture of community that connected developers, testers, architects, and engineers he saw a motivation multiplier effect. Security champions emerged that were passionate about security as a part of their day jobs helped spread awareness of secure coding practices across the organization. Vis evaluated more than a dozen security training vendors and became an SCW customer in 2019. For Thales, it was a huge benefit to have a vendor covering all the programming languages and frameworks in their environment instead of a piecemeal solution. Vis leaned on Secure Code Warrior’s huge volume of content to build training and self-paced learning for developers in the security program to access:

“The OWASP top 10 is not just simply just ten things you need to know. The depth and diversity of the vulnerabilities covered by OWASP combined with the sheer number of programming languages can be overwhelming - the wide range of challenges and coverage we have on these things was a key factor in choosing SCW. They are always adding new things. The depth, the diversity of topics, the up-to-date content, and the focus on secure code design principles really setSCW apart. With them, it’s not a one-time use training, instead, we gained the opportunity to build a continuous program.”

Vis and his team structured four levels of the secure code learning program rollout, with different milestones for each engineering role:

Importantly, SCW became the source of truth for vulnerability fixes. Instead of relying on Google searches that might lead you to troubleshoot, Vis published both guidelines from the AppSec team and ones from SCW’s content library so that developers could reference a trusted and authentic source for vulnerability fixes in the code. According to Vis:

“Developers shouldn’t be free to decide how to fix a vulnerability and potentially introduce a new vulnerability in the process. We integrated SCW videos into our LMS via SCW’s SCORM integration to make sure developers were learning how to fix the vulnerability in the right way. This also gave us a way to ensure that developers delivering secure software were being recognized. We ask them to achieve a certain level of secure coding and we can track that through the vulnerabilities they resolve and are not re-introducing. That way, the hard work they’ve done is recognized and valued in the company.”

Results

Vis and his team publish a monthly secure code newsletter where they can recognize the top learner in the company. They use SCW to look at assessment scores, tournament participation, and challenges played to amplify that achievement. This motivates other developers to learn too. The KPIs he initially set focused on reducing the overall number of vulnerabilities over 2 years. After implementing SCW, he noted a decreasing trend line. These vulnerabilities are not re-introduced at the source code level. Vis puts it this way:

"The KPIs we present to our management reflect that well-informed selection we made. We are proud that we have secure code training that delivers business confidence to our customers. We are recognized for our comprehensive secure code training program and are respected by our customers and peers. It adds a lot of value to your company when you have a program like this.”

Key takeaways

Vis recognized that people, processes, and technology all have a role to play in any security initiative. By focusing on the security of the software, developer knowledge, and meeting compliance - it’s possible to put together an agile learning for a secure code program that reduces vulnerabilities in the source code over time. Vis offers these recommendations to professionals in his field looking to build security skills in developer teams.