- Secure Development Leaders
- Posts
- Can culture change cure our secure software challenges?
Can culture change cure our secure software challenges?
If you want your team to build secure software, can building your development culture improve outcomes and reduce the need for expensive tools?
No matter how much we wish for it, there really is no cure all solution to software security.
Perhaps that isn’t the inspirational opening line you were hoping for but stay with me. It’s an important premise from which we will start and to be honest, why this newsletter exists at all.
Let’s change the conversation about secure development and find an approach based on collaboration, supported by strong leadership.
I have spent the last 20 years in the software industry. In this time I have played many roles: from software developer to tester, from penetration tester and red teamer and even had an ill-advised stint as a qualified auditor. In all this time however and despite the huge variety of roles - I can’t ignore the dissonance we have when it comes to security tools.
As software engineers, we know that its almost impossible for a tool to solve a complex issue such as preventing all security flaws in software. We know this because we build complex systems every day. Conversely, we all hope that one day, a magical solution will appear that will make this hard, unrelenting problem go away.
While dreams are free, delusions cost us dearly. Not only in terms of the money we spend on tooling every year but also in the time and energy we spend trying to make it work.
So what if we changed the way we think about software security? What if this very technical domain has a lot more in common with our existing software challenges like scaling, performance, usability and resilience than we like to admit. What if the technology isn’t the cause at all?
As security leaders, can we use use culture to improve the security of the software we build?
I’m a strange sort of application security person. I am genuinely excited for the amazing advancements we are making in software development, across every industry. For me, we are living in an age of exploration and technological revolution, the impact of which its almost impossible to guess.
Without this industry and this great age of software, there would be no need for people like me. My role in the world exists because we are taking chances, pushing boundaries and asking “how hard can it be?”. My job (and likely yours too) is to be supporting cast to this process and help it succeed (securely).
Each week I will dig into a different part of how we secure software, with a strong focus on what we, as secure development leaders can do to make this work painless and engaging for our software teams. I will take a look at current trends and approaches, research and news items as well as sharing approaches and lessons learned from the many teams I have worked with over the years.
Together we can normalise security and make it just another part of software quality.
I hope you find this newsletter useful. Like most things, communities thrive when they are interactive so don’t be shy. If you have questions, comments or feedback - please get in touch. I’d love to hear from you.
Until next week.
Laura
This week in #AppSec
Not had chance to read the software security news? Here’s what you missed this week.
Upgrade GitLab Now
https://thehackernews.com/2024/01/urgent-upgrade-gitlab-critical.html
NIST warns about security and privacy concerns of rapid AI development
https://thehackernews.com/2024/01/nist-warns-of-security-and-privacy.html
Pentesting Restaurant Software - Why security matters, no matter what you are building.
Podcast: Build Amazing Things (Securely)
Want more? Build Amazing Things (Securely) features interviews from software leaders and security folk from around the world. Explore how security works with some of the world’s most innovative technologies. You can subscribe on Apple, Spotify, Google, or wherever you listen to podcasts.
Upcoming Events
Want to meet up in person or come along to an event. I will be speaking at or attending the following events this year.