13 Ways to Get your Developers on Board with Software Security

It’s easy to understand that software security starts with writing secure code. Keep the flaws out from the beginning and you’ve bought yourself several pounds of prevention. Baking security in up front is logical and makes good technical and business sense; however, getting your developers on board with security training is not necessarily going to be an easy task. At first glance, it might seem that selling software security to developers would require the same approach as getting buy-in from executive management and the average user. It’s not quite that simple.

Developers are smart and independent thinkers that need better reasons to develop with software security in mind other than the worn out "because it’s the right thing to do" spiel. Whether you’re a Chief Information Security Officer, development manager, or compliance director, the following are 13 ways you can get your developers on board with software security and ongoing security training for the long haul.

  1. Find at least one developer that knows and values secure coding. This person will be able to lead and set a good example but also help mentor other developers by offering security training to minimize software security flaws.

  2. Perform - or subcontract - a security assessment (automated security assessment tool and/or a penetration test) to determine where weaknesses currently exist. You can also hire a development expert that can review your current development process to determine weaknesses and areas for improvement. This is really the only way to know where you currently stand.

  3. Get your developers the security training they need - on an ongoing basis. They may not admit it, but arguably the majority of developers could benefit from some security training in both development and general information security concepts. In fact, no IT professional is above needing formal continuing security training - there’s just too much to know. In their security training, make sure they learn about the concept of defense-in-depth. This will help drive home the importance of not relying on external defenses to keep their applications safe. It will also translate nicely into software-centric defenses in areas such as authentication constraints, access controls, input validation, login timeouts, secure password management, exception handling, and so on.

  4. Through the security training, show your developers what national and international standards bodies are doing regarding software security. These organizations have laid the groundwork for secure development practices, which is half the battle. Well-known and widely-accepted standards are:

  5. Give developers access to the security training they need, including tools in the areas of software security analysis and remediation, and the often overlooked threat modeling applications. The only efficient way they can make significant improvements is to possess the right tools for the job.

  6. Create a development library for ongoing security training that can provide quick reference to various software security issues including:
    Books

    Magazines

    Also, ensure that during security training your developers are informed about the following Web sites and industry organizations that can be of benefit:

    Web Sites

    Industry Organizations

  7. Collaborate with your developers during security training to create formal software security standards and policies along with a set of metrics to ensure they’re properly implemented and maintained.

  8. Tweak your software development process where possible and try to include security training. Many developers and are set in their ways and don’t follow a formal structured development process, but it certainly can’t hurt to provide security training and make adjustments where necessary to facilitate more secure development processes and set your developers up for success long-term. This should include:

  9. Set new standards for all new code moving forward rather than forcing your developers to go back and fix old code. This is especially important if older code is going to be phased out in the near future.

  10. Make sure your developers receive security training on the business risks related to software security and what’s at stake for your organization. This can include:

  11. To the extent possible, support your developers when they request a specific development platform or language to use. Many software security flaws are introduced when developers have to learn a new language or support a new platform. If there’s no clear business need, then supporting developers on what they already know can be a lot safer.

  12. Include software security requirements in your developer’s formal job descriptions. Hold them accountable via periodic reviews and reward them for when they go above and beyond what’s expected.

  13. Ensure there’s solid communication between marketing, product management, development, and information security. Properly setting expectations and realistic deadlines is required for effectively integrating software security. This may require having a sponsor at the executive level that can back you up when needed. Also, having an information security team member that knows software and is involved in the development process can be very valuable.

There’s a saying that if you swing long enough and hard enough you must eventually hit a home run. You’ve got to approach getting developers on board with software security and ongoing security training as a long-term process. It’ll take time and you’ll undoubtedly have pushback. You’re not going to be able to force software security down every developer’s throat - regardless of your justifications or consequences. However, if you start slowly and work towards establishing a security-conscious mindset in your organization, you’ll eventually see positive results.

About Caleb Sima
Caleb Sima is the co-founder of SPI Dynamics, a Web application security products company. He currently serves as the CTO and director of SPI Labs, SPI Dynamics’ R&D security team. Prior to co-founding SPI Dynamics, Caleb was a member of the elite X-Force R&D team at Internet Security Systems, and worked as a security engineer for S1 Corporation. Caleb is a regular speaker and press resource on Web application security testing methods and has contributed to (IN)Secure Magazine, Baseline Magazine and been featured in the Associated Press.

About Kevin Beaver
Kevin Beaver is an independent information security consultant, author, and speaker with Atlanta-based Principle Logic, LLC. He has more than 18 years of experience in IT and specializes in performing information security assessments. Kevin has written six information security books including Hacking For Dummies (Wiley), Hacking Wireless Networks For Dummies, and The Practical Guide to HIPAA Privacy and Security Compliance (Auerbach). He can be reached at kbeaver@principlelogic.com.