Developers don't always respond well to security assessments that highlight flaws in their code. With a little bit of empathy, it's not hard to understand why developers might react with frustration, annoyance, or even hostility.
Security testing should be a dispassionate and routine part of the software development lifecycle – application security professionals will tell you it’s never personal. But developers invest time, attention, and emotional energy into the code they produce. Pointing out errors in their code can make developers feel like their work is being picked apart, judged, and declared inadequate.
In my nearly 10 years with Veracode, I've conducted thousands of consultation calls with developers to go over the results of a security assessment and help them take appropriate action to address security weaknesses. I've spoken with thousands of developers, and I've heard just about every kind of reaction developers can have to remediation.
I can tell you that virtually all developers I talk to care about application security. They care about the quality of the products they create, the integrity of the data their software handles, and the reputation of the organizations they work for.
Software development can be very demanding, and developers do their best under difficult circumstances with occasionally poor resources. They might be dealing with design documents and functional requirements that neglect explicit security considerations, and aggressive timelines that make comprehensive testing a burden. Often they lack the skillset for secure programming, which is not typically part of a developer's formal training.
In my experience, developers sometimes take security assessments very personally, and may internalize this implied criticism of their work as a criticism of their professionalism. Programming is as much a creative process as it is a technical challenge, and developers understandably have pride of ownership over their code.
Given the constant pressure on developers to meet deadlines or to accommodate changing requirements, it's understandable that when we give developers a security assessment and ask them to "fix it," it can feel like adding insult to injury.
As an AppSec manager, you should understand the pressures on development teams and try to understand why they may appear resistant to security testing. In my next blog post, I'll describe the stages of grief a developer goes through after a security assessment, and explain how you can help developers accept security as just a part of the job, and not a personal affront to their abilities.