Changing the way a developer codes is a hard task, if not impossible. However, to be able write secure code needs both a mental shift and change in coding behaviors. Using tools is a pretty important step towards producing secure softare, however, increasing security consciousness of developers in your team or presenting them invaluable security findings may not be enough to reach that goal. More actions should be taken.
Here we will present 5 practical tips for promoting secure coding across your development project team(s).
- Find the one
- Learn their language
- Gain their trust
- Don't be cocky
Find The One
90 percent of the time every development team includes a security curious member. Be it an old hacker, or hacker news follower, these team members can be selected to be an application security satellite in order to increase security problems that their colleagues may face when writing insecure code.
This application security satellite member may send hotnews about hacking incidents and their repercussions weekly to their team members, preferably including the root cause of the incident and possible fixes. These e-mails may also include security resources that you shared with him/her previously.
As the observability of the application security satellite in a development team is higher than of an security expert, these chosen people may act as a more effective proxy for adopting secure development practices than of a security expert.
Learn Their language
Presenting security findings to developers remotely by sending emails or opening tickets is not enough, at least before the know-how transfer. Security know how transfer should be implemented with closer contact, explaining the issue categories and fixes and then more alternative fixes.
The key part for an effective know-how transfer is to be able to communicate with the developers correctly in their language. This can only be achieved by a security expert knowing how to read and preferably write code or a security savvy developer instead.
A clear and effective communication of security related actions needs for an security expert to be able to read and preferably write code with the language and frameworks the development team is using.
Gain Their Trust/Respect
Gaining trust/respect of development team is important for making findings fixed. Sure, pushing tight SLAs with a standards and policies hammer will do the job, too. However, security might not be the first item on your managerial agenda, therefore, with trust increasing the development team will more likely to fix the vulnerabilities you direct to them.
One of the greatest ways to increase the trust is presenting them already analyzed and prioritized findings. Tons of findings with high rate of false positives will do nothing but loosing the focus.
Negotiating over security vulnerabilities shouldn't be an option as long as the findings presented to your development team are analyzed and prioritized prior.
Don't Be Cocky
Sometimes security people tend to think that the world goes around hacking. This is not true. Behaving like a all-knowing and all-seeing "hacker" against developers during the meetings doesn't necessarily mean getting their attention. As well as talking to them about the weaknesses and root causes, listen to them and try to understand their view of priorities and obstacles before secure coding.
With a little mind shift, most of the developers can also be good hackers. Don't pretend that security should be their number one priority, and try to communicate with open mind, understanding their development behavior.