AppSec Blog

Developer Security Awareness: Is Security Your Top Priority?

In the last post (Developer Security Awareness: Why Do We Care?), we discussed what we should take away from publicized security events. Let's discuss why we are failing, and what we can do to make it better.

Why are we failing?

Software has become a requirement across all industries in today's world. Every market is included, from finance to travel, industrial, healthcare, retail, entertainment, and many more. Everyone is realizing the benefit of automating tasks and accessing information using laptops and mobile devices from home, the office, or virtually anywhere.

The teams working on these applications are given rigid deadlines and are working long hours to meet the demands of their stakeholders. During these times, security vulnerabilities are accidentally introduced as changes are rushed through the pipeline to provide that next groundbreaking feature to the customer.

Many years as an application security consultant have allowed me to see firsthand how often these vulnerabilities exist in high profile applications. The same high-risk vulnerabilities continue to show up year after year and application after application. The types of vulnerabilities that open the door for attackers to breach our organizations are accessible to anyone that registers for an account in a web site. In many cases, the vulnerabilities are buried in application code that hasn't been modified for years, and often only require a few minutes to fix.

Unfortunately, prioritizing enhancements and feature releases over security continues to allow these vulnerabilities to be deployed and lie dormant until it is too late. As long as organizations continue to accept bolting on security features post-deployment, project and development teams will continue to view security as a low priority.

How can we improve?

The first step in changing the security culture of an organization starts at the highest level of management. To quote Bill Gates, the co-founder and former CEO of Microsoft:

"When we face a choice between adding features and resolving security issues, we need to choose security."

This quote provides a perfect example of an organization dedicated to changing its security culture to be the top priority.

The second step requires the organization to provide all employees with the resources they need to create secure software. To build their security knowledge, project and development teams should be required to take security awareness training that illustrates the hostile environment their applications will be exposed to after deployment to production. Upon completion, everyone involved will understand why security is important and remain engaged as security discussions occur.

In the next section, we will explore the types of developer security awareness training that should be provided.

4 Comments

Posted February 18, 2015 at 8:14 PM | Permalink | Reply

Dave Ferguson

Great post. I hadn't seen that quote from Bill Gates. Unfortunately, I'm not sure C-level executives recognize that security has anything to do with software development. They assume Security can do their thing while Development goes about building new products and features. We've got to overcome that mindset, but it's very slow going.

Posted February 20, 2015 at 1:16 PM | Permalink | Reply

SoftChamp

Eric, please let me add that when it comes to virtual security, each single user should be aware of it, not only devs.

Posted March 2, 2015 at 2:52 PM | Permalink | Reply

Jessica Dodson

During these times, security vulnerabilities are accidentally introduced as changes are rushed through the pipeline to provide that next groundbreaking feature to the customer."
Speed and security usually don't play well together. When you rush to production there are bound to be tiny loopholes that the team just doesn't see because the system hasn't been totally vetted. And while no one may notice now they will for sure notice when you've been hacked!

Posted March 5, 2015 at 8:30 PM | Permalink | Reply

Eric Johnson

@Jessica ''" Absolutely agree. Unfortunately, a lot of security cultures are still reactive rather than proactive.

Post a Comment






Captcha


* Indicates a required field.