Everyone’s responsibility: Why security is a developer’s problem too

Microsoft’s Tanya Janca highlights a lack of training and pre-existing attitudes as a key fault in securing applications

Security and developers need to work together to ensure a safer internet for the future.

This was a running theme at AppSec Europe earlier this month, when security in the workplace was discussed at length.

“Security is everybody’s responsibility,” Tanya Janca told attendees at the conference.

From fixing bugs early on to securing software at every stage, Janca, Microsoft Cloud developer advocate and OWASP leader, spoke about encouraging developers to work with security in mind.

But she also urged employers to provide more basic-level training for all staff – or suffer the consequences of weak application security.

Janca spoke to The Daily Swig following her talk and offered her thoughts on how businesses can strengthen relationships between security teams and their colleagues.

You’ve previously maintained that security is everyone’s responsibility – how important is it for developers to work with a security-focused attitude in mind?

Tanya Janca: Since this is a theoretical question I can’t give you a measurable answer, but I can tell you a few things: Fixing security issues later costs more money; creating software without a security-focused mindset means less secure software will be produced; and dealing with security for the first time after a product is released is the most expensive, damaging, and embarrassing way to perform security.

Part of the problem with prioritizing security is that when you are doing a great job of security, nothing happens – or if it does, it’s handled well and with little mess.

Security is usually only visible when something goes wrong. Telling developers that there’s “a risk rating of 10”, “websites are getting hacked all the time”, or other vague comments intended to induce fear, will not make them see security as a priority.

In my experience, most developers have a lot of pride in the work they do, and they want to create a quality product, which means a secure product.

If you teach them about security, if you show them the risks – creating exploits, explaining the theory – they will prioritize it for themselves, naturally.

How can security specialists go about encouraging this attitude among their developer colleagues?

TJ: I have done quite a bit of research on this, which I released as part of a talk.

The key is enabling the developers and security people with tools, resources and training, so they know what they are doing, and then initiating culture change.

Do you find there is a strained relationship between security and developers?

TJ: Most IT shops have a lot of friction between the security team and all the other teams, and a lot of it has to do with not having the skills, resources, or tools to get the job done, and [it can be] a pre-existing culture that does not encourage the teams to work well together.

Some specific ideas for this are holding lunch-and-learns or other training sessions about relevant topics, creating an application security team, providing developers with security tools and teach them how to use them, creating secure coding guidelines so developers are aware of what is expected of them, and starting a security champions program.

It is my intention to release all of the research from a talk that I did on this topic in a series of blog posts.

What would you say are the challenges faced by security and developers in working together?

TJ: There are many, many challenges. I have repeatedly seen security teams that know nothing about creating software, developer teams that know nothing about security, leaving no one with the skills or dedicated cycles to do the application security work.

It is my opinion that AppSec should be a joint effort from both security and developers.

Other challenges are that many security teams are great at enterprise and network security, but lack the skillset and background to work in application security, meaning that most security teams don’t have someone that is able to do that type of work without quite a bit of training.

Additionally, most developers are taught little-to-zero about security when they study programming in computer science or computer engineering, meaning they also don’t even know where to start.

In summary, I feel the largest obstacle is knowledge.

How do we tackle this education gap?

TJ: In terms of what I can do, I have set a new career goal for myself to try to share as much knowledge on these topics as possible.

I feel that many educational institutions in the westernized world are failing us in this area, and it is my hope to help improve this situation through my open source project OWASP DevSlop, through my online content creation, through speaking at as many places as I can, and through my work at Microsoft.