Software Security - Getting Developers on Board
By: Caleb Sima,Kevin Beaver
Itís easy to understand that software security starts with writing secure code. Keep the flaws out from the beginning and youíve bought yourself several pounds of prevention. Baking security in up front is logical and makes good technical and business sense; however, getting your developers on board with security training is not necessarily going to be an easy task. At first glance, it might seem that selling software security to developers would require the same approach as getting buy-in from executive management and the average user. Itís not quite that simple.
Developers are smart and independent thinkers that need better reasons to develop with software security in mind other than the worn out "because itís the right thing to do" spiel. Whether youíre a Chief Information Security Officer, development manager, or compliance director, the following are 13 ways you can get your developers on board with software security and ongoing security training for the long haul.
1. Find at least one developer that knows and values secure coding. This person will be able to lead and set a good example but also help mentor other developers by offering security training to minimize software security flaws.
2. Perform - or subcontract - a security assessment (automated security assessment tool and/or a penetration test) to determine where weaknesses currently exist. You can also hire a development expert that can review your current development process to determine weaknesses and areas for improvement. This is really the only way to know where you currently stand.
3. Get your developers the security training they need - on an ongoing basis. They may not admit it, but arguably the majority of developers could benefit from some security training in both development and general information security concepts. In fact, no IT professional is above needing formal continuing security training - thereís just too much to know. In their security training, make sure they learn about the concept of defense-in-depth. This will help drive home the importance of not relying on external defenses to keep their applications safe. It will also translate nicely into software-centric defenses in areas such as authentication constraints, access controls, input validation, login timeouts, secure password management, exception handling, and so on.
4. Through the security training, show your developers what national and international standards bodies are doing regarding software security. These organizations have laid the groundwork for secure development practices, which is half the battle.
7. Collaborate with your developers during security training to create formal software security standards and policies along with a set of metrics to ensure theyíre properly implemented and maintained.
8. Tweak your software development process where possible and try to include security training. Many developers and are set in their ways and donít follow a formal structured development process, but it certainly canít hurt to provide security training and make adjustments where necessary to facilitate more secure development processes and set your developers up for success long-term. This should include:
* Plan your high level software security goals up front
* Specify the security training requirements needed to accomplish your security goals
* Analyze security features that need to be present in the final code
* Design specific security controls to integrate into the application
* Develop the code integrating security controls where possible
* Test (via peer reviews and automated security assessment tools) to ensure the security is working as planned
* Re-test after implementation to ensure no new flaws are introduced in the process
* Perform ongoing security tests searching for newly introduced flaws
9. Set new standards for all new code moving forward rather than forcing your developers to go back and fix old code. This is especially important if older code is going to be phased out in the near future.
10. Make sure your developers receive security training on the business risks related to software security and whatís at stake for your organization. This can include:
* Business principle that security and privacy are being taken seriously
* Product differentiation for added value and competitive advantage
* Building of loyal customers
* Increased customer base - which can lead to increased revenues, profit sharing, and other incentives
* Decreased business liability and increased regulatory compliance
11. To the extent possible, support your developers when they request a specific development platform or language to use. Many software security flaws are introduced when developers have to learn a new language or support a new platform. If thereís no clear business need, then supporting developers on what they already know can be a lot safer.
12. Include software security requirements in your developerís formal job descriptions. Hold them accountable via periodic reviews and reward them for when they go above and beyond whatís expected.
13. Ensure thereís solid communication between marketing, product management, development, and information security. Properly setting expectations and realistic deadlines is required for effectively integrating software security. This may require having a sponsor at the executive level that can back you up when needed. Also, having an information security team member that knows software and is involved in the development process can be very valuable.
Thereís a saying that if you swing long enough and hard enough you must eventually hit a home run. Youíve got to approach getting developers on board with software security and ongoing security training as a long-term process. Itíll take time and youíll undoubtedly have pushback. Youíre not going to be able to force software security down every developerís throat - regardless of your justifications or consequences. However, if you start slowly and work towards establishing a security-conscious mindset in your organization, youíll eventually see positive results.
... to read more articles, visit http://sqa.fyicenter.com/art/