Application security isn't just a list of practices or a set of rules to go by — it's a state of mind. Even if that sounds hokey, it's also absolutely, totally, 100 percent true. Without the proper culture instilled at an office-wide level, no cutting-edge protocols or best practices can save you from introducing security flaws into your work.
The good news is that AppSec can be accomplished. If your office doesn't reflect a proper commitment to security culture, take a look at this road map, tailor it to your own situation, and give it a go. The results just might surprise you.
Step One: Commit to Security
This first step requires a commitment to security — not from your entire office, but from you. Getting on board and enthusiastic early isn't just about setting an example (though that's a major aspect of embracing AppSec), but about helping you pitch the idea to any less-than-enthusiastic parties when it comes time to introduce the changes to your team.
Committing to change means understanding why it's coming, which in turn helps you explain the need for enhanced security focus in clear, grounded, logical terms. "When people listen to a senior management person 'selling' them a change," as this article says, "decent diligent folk will [think to themselves], 'I don't like this. I've not been consulted or involved. I am being manipulated.'" When you're speaking to a group of developers and engineers, who are generally very bright and prone to skepticism, that feeling can be a very bad thing indeed. Demonstrating your commitment can help head it off at the pass.
Step Two: Identify Shortcomings
Once you've committed to the idea of security, it's time to see where you can improve in practice. Pinpointing areas of improvement makes sense from practical and personnel standpoints: Bringing concrete examples to your people is important, and it's impossible to improve if you don't know where your weaknesses lie.
Bringing in outside expertise is a good way to approach this. A fresh set of security-trained eyes can help you zero in on areas where your team can do better, then help you define policies and practices afterward. Do it right, and you'll provide your team the kind of tools that help defend against all manner of security issues and exploits.
Step Three: Implement Changes (by Winning People Over)
This is (or at least can be) the tough one. Those previously mentioned less-than-enthusiastic parties need to be swayed in order for your security culture to take hold — no matter how much you preach, they're the ones who'll end up producing the code, and that makes them gatekeepers to your organization's revamped focus.
One Workplace Psychology update gives some great advice on the subject: If you want to prove your vision is beneficial, you need to show results by producing "short-term wins," otherwise known as small-scale proof that your new culture will succeed. How this works varies from business to business and project to project. If you're struggling to find smaller wins for your own group, you may want to consult those experts you brought in.
Step Four: Follow Through — and Keep Following Through
Managing change in any organization isn't just about implementing new practices and policies — it's also about making sure they're followed weeks, months, and even years after the fact. Continued education and coaching is a good start here: Not only will you give your developers more tools to help combat application security issues, you'll keep the idea of security fresh in their minds until it becomes the standard.
Beyond education, other measures are up to you. A great method is positive reinforcement — it recognizes and rewards developers who do the right thing and generally paints the change you're implementing in a positive, not punitive, light. Whatever else you do, the end goal is to cement the idea that a focus on security is here to stay.
A Securely Focused Organization
To paraphrase one of our favorite quotes on the practice of security culture: Two organizations with the same practices and standards can have wildly different results in terms of security, and the difference is always culture.
Application security is more important now than it's ever been, and it'll only continue to gain prominence. Switching to a security-minded focus makes perfect sense, no matter the size or goals of your organization. However you choose to do it, make sure you do — anything less is sure to cause you trouble later down the line.