Originally published on DevOps.com
In today’s fast-paced environment, security often plays second fiddle to deadlines. That means software development doesn’t typically get considered when building secure applications, rather it’s the innovations that can be quickly implemented which take center stage. Unfortunately, ranking short term tactical gain over long term vision is undeniably flawed. Doing so ignores the fact that attacks are more sophisticated than ever before, and applications that have security holes have become a key focal point for those attackers because once a vulnerable application is discovered it becomes easier to compromise a wide set of users at once. But change requires more than drastic measures. It requires an unconventional strategy to adjust culture and behaviors throughout the organization.
Although the tools and practices to build secure, defect-tested software are maturing, most organizations find internal hurdles to be more daunting. Organizational impediments including process, differing software development approaches, and short-term business drivers – like the need to update apps to reflect the latest must-have features and platform support – make it more difficult to effect meaningful change. Those interested in leading secure development initiatives within their organizations face myriad challenges.
Step out of your comfort zone to influence culture, process and strategy change
Often, folks who find themselves in the position to step up to the plate and change culture did not initially plan to do so. The developer who is chosen to lead the charge and establish a process that ensures applications are securely built is extraordinarily smart and devoutly technical. In order to begin changing the world, he or she will need to utilize approaches outside of their comfort zone. Success will rely on the acknowledgement that a full frontal assault on the status quo will not do. Instead, hearts and minds must be won. The skill sets that propel developers’ careers forward must take a back seat to the forces of leadership and persuasion, not coercion, which will ultimately affect the cultural shift in an organization’s application development mindset.
To effectively change the way organizations build software, an enterprise-wide initiative is required – one that accounts for organizational culture at each step. By taking a step-by-step approach, implementing a successful software security initiative does not have to be so daunting. Five proven best practices include taking a disciplined approach by characterizing the landscape, securing champions, defining standards and strategy, executing, and then sustaining the effort. These steps, as outlined below, will help ensure that your corporate-wide efforts to secure applications are as productive as possible.
Characterize the Landscape – Understand the task ahead and craft a realistic strategy for adoption within your organization. Whether that be identifying your organization’s compliance framework and cultural norms, to artifacts of the software security and what software development lifecycles you have in place. Being able to characterize your existing landscape allows you to fill the gap between policy and practice.
Secure Champions – Focus explicitly on the fact that you will need clear support of executive sponsors and other key influencers in the organization in order to be successful. While senior leaders may not understand or care about the minutia of software vulnerabilities, they will appreciate the business impact of a data breach with far-reaching cost, reputation or legal repercussions.
Define Standards and Strategy – You will only have one opportunity to successfully roll out a secure development initiative, meaning you cannot overlook this step. Conduct a risk assessment of applications owned by your organization to identify the most vulnerable applications to provide some qualitative ranking for decision-making. Having a baseline set of practices and procedures that are well thought out, realistically implemented, and reflect what is realistic in your organization is absolutely critical.
Execution – So you’ve done your homework, secured supporters throughout the chain of command and in the field, and laid out your strategy and goals. Now comes the hard part – bringing the issue of software security to the forefront through innovative awareness campaigns. Remember, it will be important to show quick wins, highlight positive behaviors, and do it over and over again; ratcheting up expectations and software security with each iteration.
Sustainment – This follows the successful execution of your software security initiative campaign, which can take between one and two years. To ensure your campaign stays fresh and does not lose momentum, a regular, disciplined update of the regulatory framework must occur. In addition, staying knowledgeable about what is occurring within your organization to determine whether there are new technology risk areas emerging in critical.
Creating a software security initiative is difficult by any measure. From organizational culture or politics to the status quo bias towards meeting deadlines for new features and functionality, there is no limit to the amount of hurdles that need to be overcome. But by demonstrating the importance of looking long term from a security standpoint and winning the hearts and minds of everyone that plays a role, success can be achieved. Organizations that focus only on the tasks ahead of them do not change the world. Long term vision is critical for organizations that endeavor to strategically move, grow and change the status quo.