Developer security is a wholistic view of the applications security, it’s been something that I’ve been working on for several years. The problem with application security is that inherently it focuses on the product, the application. The alternative approach seems to be DevSecOps, where we make security part of the operations session, indeed shifting left from the application to the build process but really I think that this is still missing something. Since we are still focusing on the output of the process and not the process itself.
Inherently if we are looking to improve security we have to go to where the security issues get into code, the developer. To accomplish this most of the focus for the moving pattern is going to have to be placed on the education process and the management of the measuring where you are in the process. Education is pivotal because it is designed to change the mindset from our attackers are super elite hackers, to the majority of the attackers that we are seeing are people who simply have more time to dedicate to the focus of security (squirrels). In this way we have to figure out how to take all of the time that the attacker would focus towards attacking our site and focus it into the defense of the product that we building. This approach puts a heavy amount of thought and work into the developer, and what their workflow looks like. The goal of the process is to get the developer to focus in on what they are developing and ‘develop the attacker mindset’ (more on this in a moment).
Okay now on to the elephant in the room, developers aren’t attackers, and telling a developer to think like and attacker is like telling a developer to think like an elephant. Inherently they can’t do it, because it’s not their frame of reference. That’s okay, instead we want to shift their focus from thinking about security to thinking about resilience and safety, because on the Venn diagram of security those are the overlapping pieces that allow for a common mindset. Once we have that in place it’s a very small jump to the next level to make sure that we are accounting for the, ‘what can go wrong?'. Once we get to this mindset I think that we are in the sweet spot for moving forward.
So how is this going and what are some of the main things that we have been able to do to figure out where we are going and what we are doing as part of the process? Short answer is that so far things are going okay, it takes a long time to boil the ocean and there are a lot of tasks that we have to focus on as part of the process, there really isn’t anything that we can do to get around that. This is one of those ‘We do these things not because they are easy, but because they are hard’, it is the right thing to do.