Building a Security-First Culture
Like wearing a mask to prevent the spread of COVID-19, building a security-first culture is an essential component of successful application development.
Join the DZone community and get the full member experience.Join For Free
Application Security Is Like Wearing a Mask
Wearing a face mask to prevent coronavirus is becoming the norm in my city. It was hit heavily by the COVID crisis, and now we have reached an unspoken consensus: wear masks wherever you go.
This is quite different from where we were just a few months ago. Face masks had a bad reputation, and the local health department had a hard time getting people to wear them. What was stopping people from wearing masks? It turns out, people hated masks because they make breathing difficult, make glasses foggy, and can look quite awkward. But the pros of masks outweigh the cons, and by wearing face masks, we protect ourselves and our communities from the virus.
Application security is like wearing masks. Implementing secure practices requires a lot of effort but is ultimately good for you. Security tools also get a bad rep. Developers worry they will slow them down, make their work look bad, or even cost them their jobs when something goes wrong. In particular, static analysis tools are known for producing false positives that require a lot of manpower to deal with. Remediation advice is usually generic and cryptic, requiring the developers to spend time reading through extended documentation.
Despite these barriers, how can we create a culture that prioritizes application security like we have created a culture of wearing masks?
Present the Evidence
When the pandemic first started, one of the barriers that prevented people from wearing masks was a lack of awareness. Will wearing masks really prevent the virus? Is the virus that dangerous? Is wearing a mask even worth the hassle?
To help developers write secure code, we need to help developers learn about security and how security impacts their users. Beyond standard security training that teaches developers about technicalities like XXS, SQLi, and insecure deserialization, we need to introduce security training in a way that is relevant to their work.
We need a developer education solution that is efficient, engaging, and easy to absorb. Unfortunately, currently available resources are often painfully generic or consist of large blocks of text. By incorporating security education into the development process, we can create motivation for learning about security. We need to make learning fun and make it clear why developers should care.
Make It Easy
Just like wearing masks, writing secure software can be uncomfortable. Scanning, testing, and fixing code inevitably introduces friction into a developer’s workflow. We need to make developing secure code as easy and painless as possible by focusing on making security tools developer-friendly.
Like we made face masks more convenient by using good material and design, we can design security tools to be comfortable for users. To build a secure culture, we need to show developers that the best security practices, like code scanning, don’t have to slow them down.
Create a Mask-Wearing Culture
Finally, the most powerful thing we can do to change behavior is to create a positive social norm. When we want people to wear masks, we tie mask-wearing to positive social values, like protecting others against the coronavirus.
We can do the same thing for application security. In addition to prioritizing fast development and code quality, we need to establish a cultural norm that encourages secure development. By encouraging secure practices, celebrating security wins, and rewarding caution, we can make secure the de-facto culture in our development teams.
This article is co-authored by Prabhu Subramanian.
Published at DZone with permission of Vickie Li. See the original article here.
Opinions expressed by DZone contributors are their own.