Building a Security-First Culture

And why Application Security is like wearing masks.

Wearing a face mask to prevent coronavirus is becoming the norm in my city. It was hit heavily by the COVID crisis, and now we have reached an unspoken consensus: wear masks, wherever you go.

This is quite different from where we were just a few months ago. Face masks had a bad reputation, and the local health department had a hard time getting people to wear them. What was stopping people from wearing masks? It turns out, people hate masks because they make breathing difficult, make glasses foggy, and can look quite awkward. But the pros of masks outweigh the cons. And by wearing face masks, we protect ourselves and our communities from the virus.

Application security is like wearing masks. Implementing secure practices requires a lot of effort but is ultimately good for you. Security tools get a bad rep. Developers worry they would slow them down, make their work look bad, or even cost them their jobs when something goes wrong. In particular, static analysis tools are known for producing false positives that require a lot of manpower to deal with. Remediation advice is usually generic and cryptic, requiring the developers to spend time reading through extended documentation.

Despite these barriers, how can we create a culture around prioritizing application security like we created a culture of wearing masks?

• Present the evidence

When the pandemic first started, one of the barriers that prevented people from wearing masks was a lack of awareness. Will wearing masks really prevent the virus? Is the virus that dangerous? Is wearing a mask even worth the hassle?

To help developers write secure code, we need to help developers learn about security and how security impacts their users. Beyond standard security training that teaches developers about technicalities like XXS, SQLi, and insecure deserialization, we need to introduce security training in a way that is relevant to their work.

We need a developer education solution that is efficient, engaging, and easy to absorb. Unfortunately, currently available resources out there are often painfully generic or consist of large blocks of text. By incorporating security education into the development process, we can create motivation for learning about security. Make learning fun, and make it clear why developers should care.

• Make it easy

Just like wearing masks, writing secure software can be uncomfortable. Scanning, testing, and fixing code inevitably introduce friction into a developer’s workflow. We need to make developing secure code as easy and painless as possible by focusing on making security tools developer-friendly.

Like we made face masks better by using good material and design, we can design security tools to be comfortable. Here at ShiftLeft, we make static analysis painless by making scans fast and integrating with developers’ favorite tools. To build a secure culture, we need to show developers that security best practices like code scanning don’t have to slow them down.

• Create a mask-wearing culture

Finally, the most powerful thing we can do to change behavior is to create a positive social norm. When we want people to wear masks, we tie mask-wearing to positive social values, like protecting others against the coronavirus.

We can do the same thing for application security. In addition to prioritizing fast development and code quality, we need to establish a cultural norm that encourages secure development. By encouraging secure practices, celebrating security wins, and rewarding caution, we can make secure the de-facto culture in our development teams.

This article is co-authored by Prabhu Subramanian, Lead Product Architect at ShiftLeft Inc.

Thanks for reading! What is the most challenging part of developing secure software for you? I’d love to know. Feel free to connect on Twitter @vickieli7.