Security' is Not a Dirty Word: How a Positive Approach Will Transform Your Security Program
Originally published on the DevSecCon Blog.
Having been on both sides of the fence, I know all too well the tension that can arise between the development team and AppSec specialists when it comes to upholding security best practice.
It's tough; at the end of the day, a developer's chief priority is delivering software features. They must be beautiful, functional and help showcase the power of the application. With agile development practices typically in-play these days, these features must be completed to strict deadlines... and security is rarely high on the list of concerns with so much else at stake.
Security is seen as the domain of the AppSec team, who have the unenviable task of scanning code (or worse: reviewing it manually, line-by-line) and reporting to the development team that their code is insecure or indeed, entirely unusable. They're the sticks in the mud that pick apart their good work, halt innovation and generally create a headache for developers. At the end of the day, many security issues are quite a simple fix " perhaps just one line of code could reinforce a vulnerable back door in minutes.
But, here's the problem. With "security'so synonymous with a negative experience, developers simply aren't engaged with it as closely as they should be. Those one-line fixes aren't happening: after all, the AppSec guys continually come across the same issues. It must be quite maddening for them to still be pointing out SQL injection flaws, more than twenty years after we first discovered them (and their subsequent fix).
What we've done to date isn't working anywhere near as effectively as we'd hoped. We need to focus on repairing the bridge between developers and AppSec specialists, striving for a positive security culture in which developers are given the tools and training to make a real impact in the space.
Who knows? They might even fall in love with it as I did!
Positive security is the fastest and easiest way to improve application security
ity " and no, it's not some woo-woo about intangible outcomes. It is an absolutely vital ingredient in the secure coding recipe of success.
Developers hold the key to improving security from the very beginning of production, by writing secure code in the first place. By creating a positive security culture and getting developers excited about application security, common vulnerabilities can be wiped out before they ever make it to a scan or manual code review in AppSec land.
It's thirty times more expensive to fix vulnerabilities in code that is already committed, so finding training that plays to developer strengths, holds interest and actually works is a huge step in future cost reduction for identifying and fixing those recurring vulnerabilities.
Positive, developer focused initiatives foster the right security culture.
When everyone is on the same page with security best practice, a positive security culture is a happy, vital by-product.
Positive, scalable developer focused initiatives foster the right security culture. Engaging the problem-solving, creative minds of developers is essential to winning them over, as well as ensuring any new recruits can quickly come up-to-speed with the security expectations of the team. Get in touch for an overview of how the developer security relationship has evolved and ideas on rolling out a successful security awareness program in your own organizations.
Having been on both sides of the fence, I know all too well the tension that can arise between the development team and AppSec specialists when it comes to upholding security best practice. However, there is a better approach.
Jaap Karan Singh is a Secure Coding Evangelist, Chief Singh and co-founder of Secure Code Warrior.
Secure Code Warrior is here for your organization to help you secure code across the entire software development lifecycle and create a culture in which cybersecurity is top of mind. Whether you’re an AppSec Manager, Developer, CISO, or anyone involved in security, we can help your organization reduce risks associated with insecure code.
Book a demo
Jaap Karan Singh is a Secure Coding Evangelist, Chief Singh and co-founder of Secure Code Warrior.
Originally published on the DevSecCon Blog.
Having been on both sides of the fence, I know all too well the tension that can arise between the development team and AppSec specialists when it comes to upholding security best practice.
It's tough; at the end of the day, a developer's chief priority is delivering software features. They must be beautiful, functional and help showcase the power of the application. With agile development practices typically in-play these days, these features must be completed to strict deadlines... and security is rarely high on the list of concerns with so much else at stake.
Security is seen as the domain of the AppSec team, who have the unenviable task of scanning code (or worse: reviewing it manually, line-by-line) and reporting to the development team that their code is insecure or indeed, entirely unusable. They're the sticks in the mud that pick apart their good work, halt innovation and generally create a headache for developers. At the end of the day, many security issues are quite a simple fix " perhaps just one line of code could reinforce a vulnerable back door in minutes.
But, here's the problem. With "security'so synonymous with a negative experience, developers simply aren't engaged with it as closely as they should be. Those one-line fixes aren't happening: after all, the AppSec guys continually come across the same issues. It must be quite maddening for them to still be pointing out SQL injection flaws, more than twenty years after we first discovered them (and their subsequent fix).
What we've done to date isn't working anywhere near as effectively as we'd hoped. We need to focus on repairing the bridge between developers and AppSec specialists, striving for a positive security culture in which developers are given the tools and training to make a real impact in the space.
Who knows? They might even fall in love with it as I did!
Positive security is the fastest and easiest way to improve application security
ity " and no, it's not some woo-woo about intangible outcomes. It is an absolutely vital ingredient in the secure coding recipe of success.
Developers hold the key to improving security from the very beginning of production, by writing secure code in the first place. By creating a positive security culture and getting developers excited about application security, common vulnerabilities can be wiped out before they ever make it to a scan or manual code review in AppSec land.
It's thirty times more expensive to fix vulnerabilities in code that is already committed, so finding training that plays to developer strengths, holds interest and actually works is a huge step in future cost reduction for identifying and fixing those recurring vulnerabilities.
Positive, developer focused initiatives foster the right security culture.
When everyone is on the same page with security best practice, a positive security culture is a happy, vital by-product.
Positive, scalable developer focused initiatives foster the right security culture. Engaging the problem-solving, creative minds of developers is essential to winning them over, as well as ensuring any new recruits can quickly come up-to-speed with the security expectations of the team. Get in touch for an overview of how the developer security relationship has evolved and ideas on rolling out a successful security awareness program in your own organizations.
Originally published on the DevSecCon Blog.
Having been on both sides of the fence, I know all too well the tension that can arise between the development team and AppSec specialists when it comes to upholding security best practice.
It's tough; at the end of the day, a developer's chief priority is delivering software features. They must be beautiful, functional and help showcase the power of the application. With agile development practices typically in-play these days, these features must be completed to strict deadlines... and security is rarely high on the list of concerns with so much else at stake.
Security is seen as the domain of the AppSec team, who have the unenviable task of scanning code (or worse: reviewing it manually, line-by-line) and reporting to the development team that their code is insecure or indeed, entirely unusable. They're the sticks in the mud that pick apart their good work, halt innovation and generally create a headache for developers. At the end of the day, many security issues are quite a simple fix " perhaps just one line of code could reinforce a vulnerable back door in minutes.
But, here's the problem. With "security'so synonymous with a negative experience, developers simply aren't engaged with it as closely as they should be. Those one-line fixes aren't happening: after all, the AppSec guys continually come across the same issues. It must be quite maddening for them to still be pointing out SQL injection flaws, more than twenty years after we first discovered them (and their subsequent fix).
What we've done to date isn't working anywhere near as effectively as we'd hoped. We need to focus on repairing the bridge between developers and AppSec specialists, striving for a positive security culture in which developers are given the tools and training to make a real impact in the space.
Who knows? They might even fall in love with it as I did!
Positive security is the fastest and easiest way to improve application security
ity " and no, it's not some woo-woo about intangible outcomes. It is an absolutely vital ingredient in the secure coding recipe of success.
Developers hold the key to improving security from the very beginning of production, by writing secure code in the first place. By creating a positive security culture and getting developers excited about application security, common vulnerabilities can be wiped out before they ever make it to a scan or manual code review in AppSec land.
It's thirty times more expensive to fix vulnerabilities in code that is already committed, so finding training that plays to developer strengths, holds interest and actually works is a huge step in future cost reduction for identifying and fixing those recurring vulnerabilities.
Positive, developer focused initiatives foster the right security culture.
When everyone is on the same page with security best practice, a positive security culture is a happy, vital by-product.
Positive, scalable developer focused initiatives foster the right security culture. Engaging the problem-solving, creative minds of developers is essential to winning them over, as well as ensuring any new recruits can quickly come up-to-speed with the security expectations of the team. Get in touch for an overview of how the developer security relationship has evolved and ideas on rolling out a successful security awareness program in your own organizations.
Click on the link below and download the PDF of this resource.
Secure Code Warrior is here for your organization to help you secure code across the entire software development lifecycle and create a culture in which cybersecurity is top of mind. Whether you’re an AppSec Manager, Developer, CISO, or anyone involved in security, we can help your organization reduce risks associated with insecure code.
View reportBook a demo
Jaap Karan Singh is a Secure Coding Evangelist, Chief Singh and co-founder of Secure Code Warrior.
Originally published on the DevSecCon Blog.
Having been on both sides of the fence, I know all too well the tension that can arise between the development team and AppSec specialists when it comes to upholding security best practice.
It's tough; at the end of the day, a developer's chief priority is delivering software features. They must be beautiful, functional and help showcase the power of the application. With agile development practices typically in-play these days, these features must be completed to strict deadlines... and security is rarely high on the list of concerns with so much else at stake.
Security is seen as the domain of the AppSec team, who have the unenviable task of scanning code (or worse: reviewing it manually, line-by-line) and reporting to the development team that their code is insecure or indeed, entirely unusable. They're the sticks in the mud that pick apart their good work, halt innovation and generally create a headache for developers. At the end of the day, many security issues are quite a simple fix " perhaps just one line of code could reinforce a vulnerable back door in minutes.
But, here's the problem. With "security'so synonymous with a negative experience, developers simply aren't engaged with it as closely as they should be. Those one-line fixes aren't happening: after all, the AppSec guys continually come across the same issues. It must be quite maddening for them to still be pointing out SQL injection flaws, more than twenty years after we first discovered them (and their subsequent fix).
What we've done to date isn't working anywhere near as effectively as we'd hoped. We need to focus on repairing the bridge between developers and AppSec specialists, striving for a positive security culture in which developers are given the tools and training to make a real impact in the space.
Who knows? They might even fall in love with it as I did!
Positive security is the fastest and easiest way to improve application security
ity " and no, it's not some woo-woo about intangible outcomes. It is an absolutely vital ingredient in the secure coding recipe of success.
Developers hold the key to improving security from the very beginning of production, by writing secure code in the first place. By creating a positive security culture and getting developers excited about application security, common vulnerabilities can be wiped out before they ever make it to a scan or manual code review in AppSec land.
It's thirty times more expensive to fix vulnerabilities in code that is already committed, so finding training that plays to developer strengths, holds interest and actually works is a huge step in future cost reduction for identifying and fixing those recurring vulnerabilities.
Positive, developer focused initiatives foster the right security culture.
When everyone is on the same page with security best practice, a positive security culture is a happy, vital by-product.
Positive, scalable developer focused initiatives foster the right security culture. Engaging the problem-solving, creative minds of developers is essential to winning them over, as well as ensuring any new recruits can quickly come up-to-speed with the security expectations of the team. Get in touch for an overview of how the developer security relationship has evolved and ideas on rolling out a successful security awareness program in your own organizations.
Table of contents
Jaap Karan Singh is a Secure Coding Evangelist, Chief Singh and co-founder of Secure Code Warrior.
Secure Code Warrior is here for your organization to help you secure code across the entire software development lifecycle and create a culture in which cybersecurity is top of mind. Whether you’re an AppSec Manager, Developer, CISO, or anyone involved in security, we can help your organization reduce risks associated with insecure code.
Book a demoDownloadResources to get you started
Benchmarking Security Skills: Streamlining Secure-by-Design in the Enterprise
The Secure-by-Design movement is the future of secure software development. Learn about the key elements companies need to keep in mind when they think about a Secure-by-Design initiative.
DigitalOcean Decreases Security Debt with Secure Code Warrior
DigitalOcean's use of Secure Code Warrior training has significantly reduced security debt, allowing teams to focus more on innovation and productivity. The improved security has strengthened their product quality and competitive edge. Looking ahead, the SCW Trust Score will help them further enhance security practices and continue driving innovation.
Resources to get you started
Trust Score Reveals the Value of Secure-by-Design Upskilling Initiatives
Our research has shown that secure code training works. Trust Score, using an algorithm drawing on more than 20 million learning data points from work by more than 250,000 learners at over 600 organizations, reveals its effectiveness in driving down vulnerabilities and how to make the initiative even more effective.
.png)
Reactive Versus Preventive Security: Prevention Is a Better Cure
The idea of bringing preventive security to legacy code and systems at the same time as newer applications can seem daunting, but a Secure-by-Design approach, enforced by upskilling developers, can apply security best practices to those systems. It’s the best chance many organizations have of improving their security postures.
The Benefits of Benchmarking Security Skills for Developers
The growing focus on secure code and Secure-by-Design principles requires developers to be trained in cybersecurity from the start of the SDLC, with tools like Secure Code Warrior’s Trust Score helping measure and improve their progress.
Driving Meaningful Success for Enterprise Secure-by-Design Initiatives
Our latest research paper, Benchmarking Security Skills: Streamlining Secure-by-Design in the Enterprise is the result of deep analysis of real Secure-by-Design initiatives at the enterprise level, and deriving best practice approaches based on data-driven findings.
Developer-driven coding.
Securely.
Contact us today and make software security an intrinsic part of your development process.
