RSA is fast approaching, and as we here at Veracode are busy prepping for our trip out to San Francisco, we have been thinking about the theme of this year’s RSA conference – “the human element” – and what that means for us and for application security.
The RSA Conference website explain that the “human element” theme this year highlights that “the actions we [security] take can affect every aspect of humanity. We’re the ones on the front lines, protecting not just data, but our most vulnerable people and every aspect of our lives.” Coincidentally, we just published a compilation of Veracode customer profiles, Spotlight on Companies Changing the World: How Software and Security Are Transforming the Way We Live. This compilation highlights the fact that Veracode is not just securing software; our customers are changing the world and making a positive impact on communities and lives with software, and we’re partnering with them to protect and support those initiatives. As software increasingly touches every aspect of our lives – from healthcare to education to government – the security partnership becomes more and more critical, and we take that very seriously.
There are human elements in what we are protecting, but there are also human elements in how we are protecting. We spend a lot of time talking to our customers and prospects about the fact that effective application security requires more than technology – here are some of the AppSec “human elements” that play a critical role in successful programs:
Collaboration Between Security and Development
As application security has “shifted left” earlier in development cycles, security and development teams need to understand each other and work together more than ever before. A recently published Securosis report titled, Building an Enterprise DevSecOps Program, sums it up well:
“Most security practitioners come from a network security background, and many CISOs we speak with are more risk and compliance focused, so there is a general lack of understanding of software development. This lack of knowledge of development tooling and processes, along with common challenges developers are trying to overcome, means security teams seldom understand why automated build servers, central code repositories, containers, Agile and DevOps have caught ﬁre and have been widely adopted in a very short time.”
The report goes on to advise security professionals:
“You need to consider how you can improve delivery of secure code without waste and without introducing bottlenecks in a development process you may not be intimately familiar with. The good news is that security ﬁts nicely within a DevOps model, but you need to tailor things to work within your organization's automation and orchestration to be successful.”
Bottom line for security professionals: Get to know and understand your development teams and their pain points and priorities. You won’t be able to effectively secure their processes without this understanding. In addition, consider adding developer security training to the mix. Most developers don’t have the security skills or know-how they need to code securely – it’s simply not taught in the vast majority of universities, or offered on the job. Work to understand their processes, and enable them to understand yours. Our guide, The Security Professional’s Role in a DevSecOps World, is a good starting point.
Another low-tech, human AppSec element that’s been coming up in customer conversations recently – security champions. In the report referenced above, Securosis analyst Adrian Lane writes, “I spoke with three midsized ﬁrms this week — their development personnel ranged from 800-2000 people, while their security teams ranged from 12 to 25. They typically had two or three security personnel with backgrounds in application security They may be rare as unicorns, but that does not give them magical powers to cover all development operations, so they need ways to scale their experience across the enterprise. And they need to do it in a way which meshes with development objectives, getting software development teams to implement their security controls.” He goes on to say, “One of the most effective methods I have discovered to scale security is to deputize willing developers with an active interest in security to be ‘security champions’ on their development teams.”
Security champions are like security force mulitpliers on development teams. Security champions don’t need to be security pros; they just need to act as the security conscience of the team, keeping their eyes and ears open for potential issues. Once the team is aware of these issues, it can then either ﬁx the issues in development or call in your organization’s security experts to provide guidance.
Visit Us at RSA
Let’s continue the conversation at RSA. Stop by our booth, N 5553, to see a product demo or chat with one of our experts. See this web page for details on our speaking sessions, and on how to schedule a meeting with one of our execs. Hope to see you there!