In the last year or so that I’ve been a member of Veracode’s Customer Success team, I’ve found that I have been hearing the same remarks from an array of organizations- “We must implement Secure Coding practices in order to retain a positive brand image, but we’re up against very strict deadlines and need to get our code out fast!” As we work with Security and Development teams alike, this statement starts a discussion which typically unravels until we get to a question that is asked again and again– “How do we keep developers who are being pulled in a number of different directions interested in secure coding practices as they move swiftly from one project to another?”
It seems simple or even a bit silly, but no matter what type of organization we’re working with- from government space to financial institutions to consumer goods- one tactic seems to work well for all: Making Application Security Fun.
So, Where Do We Start?
Before we can determine how to entice teams or individual contributors by making security fun, let’s think about why there is a need to do so. Is there a concern that proper secure coding practices are not followed? Do teams need an extra push when it comes to initial testing or retesting for security vulnerabilities? Perhaps there is a need to test earlier in the SDLC to catch vulnerabilities before they cause brand damage or financial loss. The bottom line in each of these instances is that in addition to meeting development deadlines, there is an equal need to become more secure.
Define the Goals
We know the end goal- to have an efficient and secure application portfolio- but how do we get there? It can help to create a series of mini goals to meet, such as decreasing overall high or very high severity vulnerabilities by 10% with each analysis or pen test.
Run a Baseline
So, how far away from each of the goals are we? Before requesting that teams work toward a more secure application portfolio, it’s important to baseline by gathering data on applications as they stand now. This is our starting point- where are we at right now.
Once we’ve identified where we are and where we’d like to be, it’s time to get creative and start enticing the teams to improve the overall security posture. Let’s look at some examples of how other organizations have used fun and creative ways to see improvement.
How Have Other Organizations Made Application Security Fun?
Now, let’s be realistic, we all have different definitions of “fun” but that doesn’t mean you can’t devise a solution that works best for your teams. Consider some of the examples below, or, if you have an idea that you’d like to share, add your ideas in the comments below.
Later, Lunch and Learn - Hello Happy Hour!
Instead of the typical brown bag lunch sessions where a group is gathered in a room for training, demonstrations or general learning sessions about the importance of AppSec, why not liven things up by putting a happy hour spin on it? This promotes a more casual environment, for sure, but it may also get some creative juices flowing which could lead to a more interactive session. If team members are engaged, the message will stick with them much longer.
I don’t know what it is about friendly competition at work, but it certainly can go a long way. Who doesn’t want bragging rights to..well..anything? Consider starting a competition using the goals that you’ve defined. Perhaps a leader board could be posted on your intranet that’s updated on a weekly basis to show who is on top.
Become a (Secure Coding) Jedi Grand MasterSure there are variations of ways in which you could rank the teams- martial arts belts, medals or ribbons etc… but what’s cooler than being named a Jedi Grand Master? Team members could increase rank based on overall improvement over time, or levels of training or eLearning completed. Consider badges or certificates to show off and see how many Padawans develop into Jedi Masters over time.
How About…A BRAND NEW CAR!
Ok, so nobody expects you to hire one of Barker’s Beauties to present the team or developer who has shown the most improvement with a new car- but there are certainly more sensible prizes to consider. From iPads or gift cards to vacuum cleaners or concert tickets, the possibilities are endless.
To keep the short term focus, perhaps individual contributors could collect raffle tickets at the end of the week for each goal achieved and then turn them in to win a larger prize at the end of the quarter.
On the team level, a group prize may be in order. Perhaps a trip to a local amusement park, a dinner cruise or group tickets to a sporting event will promote some camaraderie.
The Proof is in the Pudding (or Score Card)
So, how do you show improvement for an individual developer? For a team? A business unit? Think about the Project Green Light program on the Veracode Platform, where for every scan a count of potential vulnerabilities which were properly defended against is listed. In the end, we want to empower Security Leads and Developers to spread the word and push for Secure Coding practices as deadlines are met. This is easily be tracked by the AppSec team as all developers use one central platform (Veracode) for scanning, remediating and reporting. These practices also fits very nicely with an upcoming blog post by my colleague, Pejman Pourmousa about score carding and governance.
Best of luck and of course- Have Fun!