What is it and why should I care?
In the last post, I gave some justifications for getting security people into your organization, as well as reasons to have them closely knitted into your team. In this post, I’d like to move the attention to the developers already on your team.
Let’s say you’ve got a model where you at least have some security representation on your team, whether that be an enterprise group that consults periodically, or someone that spends 2 days a week helping write code, or anything in between. (I discussed various models of execution in the last post, and mentioned that your organizational structure will likely dictate the best model.) You have a security expert on your team, but that person probably won’t be full time on your project, unless it’s huge, and many times, won’t be contributing to your codebase at all. That means we need additional security knowledge embedded into the team.
What should I do about it?
You could go about this in lots of ways, but I think Jim Bird’s approach is fantastic. It argues for a scaled model where you have different developers with varying skill-levels in security, but all with at least a minimal understanding (basic training – think OWASP Top 10 / SANS Top 25 with a 1-2 times yearly refresh). This is exactly what we do with other concerns in coding, such as performance or scalability. We often have 1 or 2 experts, then a smattering of capabilities among the remainder of the team.
Everyone on the team should know that you shouldn’t concatenate request parameters from the user into a sql query string, but maybe not everyone will understand the intricacies of DOM XSS encoding or the ins-and-outs of Content Security Policy (CSP). By ensuring the most common vulnerabilities and associated controls are well-understood by everyone on the team, you create an environment that generally produces more secure code. By having an expert or two on the team, you have resources that know about the latest and greatest protections and who also understand implementation caveats for the basic protections.
The scaled training approach has several benefits:
(More) Secure Code
You can produce rather secure code if the general team has basic training, and there are 1 or 2 experts helping out with the difficult problems.
Cheaper than Training Everyone
As Jim points out, this model produces secure code in a much more scalable way than trying to make everyone an expert. Training developers and turning them into security experts is not a cheap proposition. The basics are usually pretty easy, but there are lots of gotchas to be found, and that takes lots of time and money. By focusing the majority of your money on fewer resources, you’re able to make it count for more.
Training developers to be security-aware is a requirement, but many will try to hire in that talent. It’s well-known that it’s quite tough to find security-knowledgable developers. Needing fewer means you have a bigger talent pool to pull from, and most of your needs will come from the standard developer bucket, which is much more abundant.
Natural Path to Secure Frameworks
By setting up a model whereby a few people are experts in a single area (and others aren’t), it creates a natural environment to encode that knowledge into some system for the benefit of the larger group. In this case, that encoding is likely to involve creating a reusable security framework. Now, you get the benefits of that knowledge and have it codified in an executable form. In addition, it’s simpler to “update” the knowledge store by adding features to the framework and fixing bugs over time. By hiding the gory details in a framework, you give the standard developer security capabilities that they wouldn’t have otherwise had, and at the same time increased your security posture.
In conclusion, developers in your organization should get trained on security. The majority should be familiar with the basics, while a few should be experts. By scaling your investment, you’re able to efficiently build more secure code and create an environment that fosters institutionalizing the security knowledge of your experts for the benefit of your full team.