Three essential ingredients for secure development culture

Want to change how your software teams embrace security, they need something first (and spoilers, its not a tool).

Beneath any secure development program is a foundation built on people.  In this week’s newsletter, we're going to take a look at the essential things that you need to provide the people in your team, if you're going to successfully change your secure development culture.

At its root, security is not about technology, it’s about people. Like most people challenges, it can’t be solved with a magic tool or box.

The solution to our product security problems requires a group of people who understand the problem, particularly well, working together the best they can to solve it. Solving it might look like stopping bad things from happening. It might just mean spotting it if it does, and in worst case scenarios, it means working together as a team to respond quickly to minimize the impact.

So before we get into the structure of the program and how we're going to build it, let's talk about some things you can give to your team, to help them embrace secure development and engage with your fledgling security program.

#1 Education

But there is a broader point here. This isn't about what skills you should teach.

Software developers and development team members don't automatically come into their roles with experience and knowledge about security. More importantly still, even before we get to the technical skills required to secure software and to do product security. There is a fundamental understanding that you need to have about why this matters.

Without the education to get the why of security it's really hard for us to devote any time or energy to it.

After all:

  • Would we bother recycling if we didn't know why it mattered?

  • Would we bother reviewing pull requests? If we didn't know why a pull request method and the impact it can have on the quality of your software.

In the context of secure development culture, education isn't about just technical skills. It's about having a shared understanding and a shared language for why security matters, for your organization and for your team.

Education can come in many forms. It doesn't have to be particularly formal. It could just be you standing at the front of the room with a short PowerPoint deck, explaining a few things.

However you do it, the aim of education is to give everybody that shared language and a shared understanding so that when you come to ask for a new behavior or a change to an existing behavior, the isn't a question of why are we doing this? Instead, our teams understand the “why” and focus on “how”.

#2 Empowerment

We're going to talk at length in future newsletter episodes about security champions programs and their importance in the space. But it is my true belief that everyone in software in every role. So developers, testers, analysts, architects, they all have something they need to do when it comes to securing software.

It doesn't mean that they do everything, but for each role for each person, there is a set of (normally quite small) things that they are empowered to do. These are practical steps they can take, to improve the security of the product they're working on every day, every line of code, every design, every sprint.

Without empowerment in secure development we have dependency and disengagement.

If they have to go and ask for help somebody, or if they have to put in a request to somebody else to do it, or it has to go through a central team.

This creates all manner of challenges, including:

Slowing down teams

If only one group of people are allowed to complete security tasks, they are going to be very busy. We know that bottlenecks like this don’t scale and certainly don’t improve performance.

Disenfranchisement

There's nothing worse than being taught why something is important and then be told you can't do anything about it. Engineering teams are smart cookies. They know how to do a great deal of things and they're very good at learning. So to tell somebody that they should be doing something, but they can't do it for themselves, can be really frustrating.

Loss of experience and creativity

It also means that you're losing out on all of the experience and creativity that your team might bring. If you educate them about a problem and empower them to solve it, you may find that their solutions are actually better than anything else you could have thought of. Their solutions will be more context-specific and benefit from their wealth of experience.

If your team decide to work together on a solution that combined effort will have a powerful multiplication effect on engagement across your whole team.

Empowerment is really powerful, not just because it's in the name.

#3 Accountability

It's really easy for us to say everybody should be accountable for their actions. But it has to mean something.

If we say, as a team, everyone knows that security is important and what we expect them to do (education). Everyone has the power tools, resources, time. to do that thing (empowerment) but still nothing is done. We have an accountability issue.

Accountability encourages us to formalise our expectations of our team. It communicates what good would be and lays out the impact if this level is not met. Accountability is part of cultural respect.

When someone is held accountable for something there is a two way balance.

  1. The person who is now accountable must meet the expectation and respectfully communicate if there will be challenges to meet it (helping identify and remove blocks).

  2. The person who is giving the accountability must understand the cost of this accountability and the impact it will have on the newly accountable persons world. (Listening to feedback and adjusting when given).

Bonus: Acknowledgement

When there is accountability, we normally focus on the reprecussions that happen if someone fails to meet that expected standard or deliver on their obligations.

On the other hand, if we find that somebody has been doing well (meeting or exceeding expectations), then we need to make sure it is acknowledged. In security we have a long tradition of talking about issues and negative outcomes and very bad at saying “good job” and “ i see you, that was great”.

We cannot have accountability without acknowledgement if we want people to follow our program for the long term.

In an unwinnable, infinite game like secure development, acknowledgement is our main reward and the way we incentivise people to keep going, even though the road is long and hard.

If you were going to try and build the security culture of your team and build an application security program on top of it. Then those three things, education, empowerment, and accountability.

With the additional bonus gift of acknowledgement for your team can be powerful ingredients to make sure that whatever program you build, every role in every team, is engaged and able to be part of it.

Homework

I love a bit of self reflection when it comes to building a cultural foundation. Check out the following questions to help you think it through?

  • How has this worked in your team?

  • Have you found it difficult to educate?

  • What have you found, worked for you?

  • What about empowerment?

  • Is there a fine line between how much you can empower a team and the risk of things going wrong?

  • How have you found ways to measure and record accountability? Is it in your job descriptions? Is it in your roles?

We're going to follow up on this on more this and more in future episodes of this newsletter.

Send in your suggestions and comments, I'd love to know what your thoughts are on these essential ingredients for secure development culture.

Until next week.

Laura

This week in #AppSec

Not had chance to read the software security news? Here’s what you missed this week.

Podcast: Build Amazing Things (Securely)

Want more? Build Amazing Things (Securely) features interviews from software leaders and security folk from around the world. Explore how security works with some of the world’s most innovative technologies. You can subscribe on Apple, Spotify, Google, or wherever you listen to podcasts.

Upcoming Events

Want to meet up in person or come along to an event. I will be speaking at or attending the following events this year.