There seems to be a theme going around the security industry lately … focus less on preaching to the choir and more on “inceptionizing” security to people building the systems. As an example in last week’s Dark Reading “Walking In The Application Developer’s Shoes” article, Kelly Jackson Higgins discussed how many security professionals are taking it directly to the developers in the application security world.
Developers don’t necessarily understand the implication of a lack of security. If their program performs the required functions, in a lot of developer’s minds they have succeeded at their job. Ideally, developers would become more knowledgeable about security flaws in the applications they are creating. Unfortunately, most companies do not incentivize the development of more secure products. They tend to push more features with tighter deadlines over security.
Who pays the price when vulnerable applications are released? In some cases it’s the company that produces the software. They may deal with a loss of reputation among other things, which in turn, can lead to a decline in revenue. In most cases, though, it’s the end user of the products that suffer due to the potential exposure of personal information.
Over the past year many security professionals are setting out to change this. As evangelists of the security industry, they are stepping out beyond the cozy confines of the security industry and spreading the message directly to developers by becoming more active in their communities. By reaching out, as noted in the Dark Reading article, people like Jeremiah Grossman, Marisa Fagan and Chenxi Wang feel they can have the greatest impact to the application security problems we are facing today.
Beyond application developers there may be other professions that we should embed ourselves in. I don’t know … perhaps networking … or maybe databases… Just like application development, these areas need to embed security as well. So whatever your passion … find a non-security area that peaks your interest and try a little less preaching to the choir and a little more “inceptionizing” security into these other communities.