Security as culture: How Blue Prism cultivates world-class secure developers

Background

Blue Prism is the global leader in intelligent automation for the enterprise; an exciting tech company creating cutting-edge software and tools that help organizations stay agile, efficient and competitive. For two decades, they’ve ensured that some of the world’s best and most groundbreaking companies can innovate at speed while helping them meet global and business challenges. Now Blue Prism is rapidly maturing into the next phase of its operations.

Maria Morris, a senior application security engineer at Blue Prism, is working on the front lines to maintain their enviable, first-class security program. Her dedication to upholding a strong culture of security best practices, cross-functional collaboration, and awareness, is central to the efficient deployment of secure software within the organization. As part of her initiatives, Maria sought a hands-on training solution that could continue to inspire the development cohort to build on their security awareness and secure coding skills, using real-world code.

The challenge

Blue Prism lives and breathes its customers’ success. With a strong focus on security as well as cutting-edge AI-infused robotic process automation (RPA), it’s no wonder that so many enterprises in the Global 2000 rely on their products and services. Of course, this trust comes with great responsibility, and the need for security to be at the forefront of every process and decision is a must.

With the need to ensure regulatory security compliance with legislation such as PCI-DSS, HIPAA, FISMA, and FIPS, being able to mitigate against the common, yet potent vulnerabilities featured in the OWASP Top 10, and the SANSTop 25 Most Dangerous Software Weaknesses(CWE) is essential. To do this effectively, they need to empower their security-skilled

“We are really good at hiring people who put security first. Everybody here loves security; in meetings, it’s one of the top three things that people want to discuss.With every decision, we ask ourselves, ‘Is this secure enough? Can we make it more secure?’. It’s always at the forefront of the mind because security is important, as it should be,” says Maria.

The implementation

Maria and her team advocate the ‘shift left’ approach to software security, prioritizing it early on in each stage of the software development lifecycle:

“If you start secure, you don't have to ‘become’ secure – the latter is a lot harder to achieve. It reduces developer workload and work time. It reduces the risk of revisiting issues and trying to put in place a fix when the software is already live in people's environments. Doing it right the first time is key”, says Maria.

Her development cohort is hand-picked for their interest in security, and Blue Prism’s burgeoning security culture helps their security skills to thrive. She was able to use Secure Code Warrior’s Learning Platform to help benchmark and reinforce existing skills, build upon prior knowledge and experience and get hands-on with security challenges in the code that is familiar to them:

“The developers liked Secure Code Warrior instantly – there’s been no friction getting them to want to be involved, to use and engage with the platform”,says Maria. “It was a great way of re-enforcing the knowledge they already had, while allowing them to learn new things.”

Blue Prism takes their learning to the next level by utilizing the Courses feature as well, allowing Maria to create curated, precision pathways for her developers that align with strategy and help achieve security goals in the business.

“The developers actually like my courses, which is nice. I try to make them very specific to current projects.We’ve got the ‘sensitive data handling’ course, for example. I make the material highly relevant. I use videos as a recap, and then set exercises about it, followed by an assessment at the end. The developers like that approach because they have limited time. They want something tangible to feel like they've accomplished something great”, says Maria.

The result

The team at Blue Prism rolled out effective, engaging training and courses for their development cohort to hone the skills that support their best-in-class security program. Their highly positive approach to security madeSecure Code Warrior a great fit for their organization, solidifying the training that is so crucial to achieving regulatory compliance, and scaling security at speed across the many products and services that power some of the world’s biggest companies.

Maria’s use of curated learning pathways is in complete contrast to generic, one-off training so often seen at other companies. This allows her to scale the education part of her security strategy to great effect, highlighting further Blue Prism’s dedication to quality and customer first initiatives.

“We're really lucky because our developers believe in the tech excellence philosophy as well. They don't want just to meet what's on the paper. They want to do what's right. They want to know that our product is secure and they want to be assured that if anything happens, it's not going to be because Blue Prism was that single point of failure. It's this belief in the product that makes the difference”, says Maria.

"Thanks for setting it up! It was really, really good. Hard to tell what it will be like until you actually get stuck in and do it. But it's a great way of learning. I generally know all the theory but being given working code to try it out on is really effective." Ben, Blue Prism developer, feedback after a tournament