4 minute read
The future of developer security maturity is bright, and these verticals are leading the charge
FATEMAH BEYDOUN
by Fatemah Beydoun, Chief Customer Officer, Secure Code Warrior
An unspoken war is raging in most IT departments across the world, a David and Goliath battle between two critical teams: application security and developers. With conflicting priorities and relationships that are often extremely negative, it is no wonder some internal security cultures are on life support.
Okay, perhaps that was a little dramatic, but it reinforces my argument: we have got to do more to foster a positive security experience for developers. It is no longer good enough to exclude them from a comprehensive, defensive security strategy. With the cost of the average data breach swelling to $US4.35M in 2022, it is imperative we give cyber defence our best shot. That will mean taking an honest look at internal security maturity, and building it upon a strong foundation. As an industry we have a long way to go to uplift developer security maturity. However, in my role, I am fortunate to work with many organisations leading the charge in helping developers become the security superheroes we need on the front lines. Generally, their overall internal security maturity is more advanced than the norm, and some verticals seem to achieve maturity faster than others. Let us explore why.
MODERN SECURITY MATURITY: WHICH VERTICALS DO IT BEST, AND WHAT SETS THEM APART?
There are multiple security maturity models, but across the board the adoption of security maturity basics like overall role-based awareness and relevant skills is somewhat hit-and-miss. However, I have found the financial sector to be ahead of the game in both security maturity and in its willingness to make developers part of the plan.
This is perhaps not surprising: financial organisations are subject to stringent security regulations in most countries and compliance rules like PCIDSS demand continuous attention and adherence. Financial organisations achieve compliance by adopting modern security techniques despite many being constrained by legacy platforms and systems. Some of our clients still use COBOL, a programming language that originated in the 1950s. However, they ensure their COBOL developers have precision training in secure coding, and continuous exposure to the latest vulnerability mitigation strategies.
Another factor is the increased effort devoted to benchmarking current developer security skills and building upon these with structured programs that suit the security needs of the organisation. With the right guidance developers will gradually get onto the same page as the application security team and will see the role they can play in securing software and making security a priority.
NURTURING DEVELOPERS AND MAKING THEM PRINCIPAL CHARACTERS IN THE SECURITY STORY
Overall, it takes an organisation-wide effort to raise security awareness, ensure everyone is equipped with the right skills and knowledge to play the part their role requires and expand the security strategy well beyond automation and scanning tools to embrace people power.
Companies that make developers central to their defensive efforts reap the benefits of early vulnerability eradication and reduced pressure on the application security team, giving it the breathing space to work on the complex problems only its members can fix.
Such future-focused organisations follow a pattern for developer upskilling that often exhibits these three core elements.
• Reward and recognition. Developers have been disadvantaged insofar as the status quo dictates security not be their top priority when shipping code. Nor are most teams measured on their security prowess through their KPIs. Advanced security maturity turns this idea on its head and gets developers to share responsibility for security. This is a significant shift, and those who embrace secure coding should be recognised and rewarded for their efforts. Peer recognition is especially powerful and can lead to better career opportunities and leadership roles.
• Certification. Internal programs which structure tiered learning modules that are both job-relevant for developers and organisation-critical can give developers the opportunity to work towards recognised credentials that can elevate their status and show at a glance that the company is committed to the highest standards for everyone working on code. With the introduction of measures like the Biden Administration’s
Executive Order around verified security skills for those involved in the software supply chain, the need for certification will grow.
• Cultivating a positive security culture. While it seems simple, fostering an organisation-wide security culture that embraces developers and maintains positivity is no cakewalk. Breaking down silos between application security and developers, focusing on software quality over speed, and making security more fun and less daunting should be prioritised. However, it really does ‘take a village’, and it takes endorsement from the CISO to set and uphold standards of security awareness and action.
Those companies that are truly at the forefront of developer security maturity go well beyond simply ‘ticking the box’ for compliance. Instead, they opt to invest in a transformational process for both individuals and the culture in which they operate. It is my hope that more verticals will follow their lead and help set a new standard for code-level security.
www.linkedin.com/in/fatemah-beydoun-b6555bb1
