Application Security – Taking it to the People

There seems to be a theme going around the security industry lately … focus less on preaching to the choir and more on “inceptionizing” security to people building the systems. As an example in last week’s Dark Reading “Walking In The Application Developer’s Shoes” article, Kelly Jackson Higgins discussed how many security professionals are taking it directly to the developers in the application security world.

Developers don’t necessarily understand the implication of a lack of security. If their program performs the required functions, in a lot of developer’s minds they have succeeded at their job. Ideally, developers would become more knowledgeable about security flaws in the applications they are creating. Unfortunately, most companies do not incentivize the development of more secure products. They tend to push more features with tighter deadlines over security.

Who pays the price when vulnerable applications are released? In some cases it’s the company that produces the software. They may deal with a loss of reputation among other things, which in turn, can lead to a decline in revenue. In most cases, though, it’s the end user of the products that suffer due to the potential exposure of personal information.

Over the past year many security professionals are setting out to change this. As evangelists of the security industry, they are stepping out beyond the cozy confines of the security industry and spreading the message directly to developers by becoming more active in their communities. By reaching out, as noted in the Dark Reading article, people like Jeremiah Grossman, Marisa Fagan and Chenxi Wang feel they can have the greatest impact to the application security problems we are facing today.

Beyond application developers there may be other professions that we should embed ourselves in. I don’t know … perhaps networking … or maybe databases… Just like application development, these areas need to embed security as well. So whatever your passion … find a non-security area that peaks your interest and try a little less preaching to the choir and a little more “inceptionizing” security into these other communities.

3 comments for “Application Security – Taking it to the People

  1. March 16, 2011 at 9:39 pm

    This is not really anything new. There have been Application Security teams within Fortune 500 companies doing this for years. I was the tech lead of such a team for the past 10 yrs. BSIMM even mentions this. Qwest’s AppSec team was exclusively made up of developers who learned security (vs. security people who learned development).

    -kevin

  2. March 18, 2011 at 2:29 am

    Thanks for your comment … and I agreed that this is not anything new.

    However has much changed in the past 10 year? It’s starting to but we have a long way to go. Maybe at it works at SOME Fortune 500 companies but that’s probably just a small percentage of them. And even for the ones that do, it’s usually just affects a small percentage of their products. Compounding this issue are SMBs that drive the majority of our economy. With limited budgets and tight deadlines, software is developed and published ASAP with hardly any effort spent on security.

    Overall though this post was meant to inspire security professionals to reach out to developer and other communities more where we could have a bigger impact on improving security. Maybe this could be running formal training at Fortune 500 companies or speaking at a large industry developer conference. The problem is that the majority of the people you are trying to reach will not be there. Although these formal efforts do help, we need to work grass-roots by focusing instead at local developer meetups and smaller informal conferences where we as a security community can reach a much larger audience.

    Again thank you for you comment and thoughts…

  3. raelyn
    March 18, 2011 at 8:11 pm

    The intent was never to place a spotlight of blame on anyone, more to inspire the security community to reach out to developers in a way that can truly make a difference. It is good to know that there are companies who are providing security training to developers, as there are still companies where security people can’t even get decent security training! Thank you for your feedback!

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.