Most security teams and security executives want developers to care about application security. This is not to say that developers don’t care about security. Such a sweeping generalization is simply not appropriate. There are developers who care. Still, what organizations want most is to increase the number of developers that do care and decrease security bugs in their software. No one wants to create the new “Heartbleed” and become the next headline.
What makes some developers different? What makes some developers love security and want to make their software secure and others not seem to care? Some clues can be found in Angela Duckworth’s study of grit, specifically in her book Grit: The Power of Passion and Perseverance. In it, Dr. Duckworth explains our ability (or lack thereof) to stick with something over a long time and become an expert.
Let’s see how the properties of grit, as discovered by Dr. Duckworth, can help encourage developers to enjoy security. We’ll focus on two aspects of grit: interest and practice. Understanding these properties of grit will guide your decisions on how best to teach your developers secure coding practices.
Building interest in security
Many believe “finding your passion” is the key to finding happiness in your career. There’s an “a-ha!” moment where you just know that you’ve found what you want to do for the rest of your life. Then, you quickly become the best at doing it because of your “natural” ability Science disagrees with this notion.
“Here’s what science has to say: passion for your work is a little bit of discovery, followed by a lot of development, and then a lifetime of deepening.” Interests don’t appear in an “a-ha!” moment at all.”
“Interests are not discovered by introspection. Instead, interests are triggered by interactions with the outside world.”
Science shows that interests build over time, instead of being sparked by just one moment of revelation. At first, someone may be exposed to a subject and not think much of it. Over time, after being exposed several more times to the same subject, someone develops an interest. Then comes a time of testing to see if the interest will stick. This knowledge can be used by security leaders to plan how they train their developers.
Regular exposure for developers
Security training for developers can be hit-or-miss. It can range from in-depth study of security topics in a classroom to voice-over-PowerPoint presentations every year for “awareness”. When classroom training is given, it’s rarely a regular occurrence. Maybe once a quarter or a couple of times a year developers get the chance to learn about security from an expert. They quickly forget what they learn.
Instead, developers need regular exposure to application security training. The best option is to give them on-demand security training so they can be exposed to it on a regular basis. When a developer runs into a security problem, they should have a place to go for the answer to their problem. Easy access to security training also allows developers to see if an interest or passion could develop. Some developers will use the training more than others and show an interest in security. But giving them regular exposure is how to find those developers.
“Remember that interests must be triggered again and again and again. Find ways to make that happen.”
Exposure to a subject is only the first step in building passion and grit. You also need to practice.
Practice security – deliberately
The age-old adage states, “Practice makes perfect.” While practice is important, the way you practice may be more important, according to Dr. Duckworth. She introduces us to the concept of deliberate practice.
“Rather than focus on what they already do well, experts strive to improve specific weaknesses. They intentionally seek out challenges they can’t yet meet.”
Experts don’t practice the same thing over and over. Rather, they find specific ways to improve and strive to practice those specific things. This helps to hone their overall skill set. Deliberate practice has a large impact on success. When studying spelling bee champions, Dr. Duckworth found this to be true:
(Regarding spelling bee winners): “Deliberate practice predicted advancing to further rounds in final competition far better than any other kind of preparation.”
Deliberate practice is important to help the good to become great. Another major factor is feedback. Feedback on what went well and what didn’t gives those with grit the fuel for deliberate practice.
“As soon as possible, experts hungrily seek feedback on how they did… experts are more interested in what they did wrong–so they can fix it– than what they did right.”
In a nutshell, experts tend to look for specific ways to improve their skill and then work until that skill is improved. Then they move onto another skill and another, leading to a deep well of skills available to the expert. Application security training works the same way.
How to make security practice deliberate
There are three requirements for the deliberate practice of security concepts:
- Specificity in training options
- Fast feedback
- Availability of training for continuous practice
Let’s take a look at each in more detail.
Specificity in training options. If your developers are using Python to build web applications, then Node.js training won’t help them nearly as much. Generic training with general guidance helps some, but then your developers will be responsible to find more information on their specific technology after the training is over. Training should match what your developers use in a practical way. Developers can’t practice specific skills without writing code in the language they use every day.
Fast feedback. Feedback is essential. When learning to incorporate good security practices into complex software, feedback needs to be there every step of the way. Try to use logical steps that solve real security problems. This allows the developers to know immediately if they’re on the right path or wrong path when fixing security bugs.
Availability of training for continuous practice. Practice must be regular to be effective. The tools used for practice have to be readily available so practice can take place. On-demand security training for your developers allows them to concentrate on their areas of need on a regular basis. Regular practice will help your development team fill in the gaps and build more secure software.
When security training is less about compliance and more about giving developers the tools for deliberate practice, software is safer and so are your end users.
Encourage security grit in your developers
Change how security training is delivered to change the attitude of your developers. Encourage grit in your developers. Over time, their security skills will pay off. And you don’t have to do it alone. Veracode's Security Labs can help you to deliver training in the language your developers use, provide step-by-step feedback in interactive labs, and give your developers the practice on-demand. Get in touch with us if you want to learn more.
Don’t just train your developers. Encourage them to develop their interest in application security. Not all developers will become security experts, and it’s okay if they don’t. But some seeds planted will grow. Some developers, given the opportunity to build their interest with regular practice, will become champions for security. They’ll build a passion. They’ll become gritty. And gritty developers write secure code, protecting your reputation, your assets, and your customers.