Last week I sat down to figure out what's really going on in secure software development: 'Developer-centered Security'. I used a technique by Simon Wardley, which is great for showing a whole industry at a glance.
The diagram shows different aspects of this ecosystem, with the horizontal axis showing how mature each one is (think Diffusion of Innovations), and the vertical axis showing how visible each is to users (in this case, to developers). The blue lines connect related aspects.
So what's happening? The FAMGA (Facebook, Amazon, Microsoft, Google, Apple) companies have developer security pretty much taped, using security experts and motivating, enskilling and empowering developers very effectively. But they consider it a commercial asset and too valuable to share; so even Microsoft no longer publishes how they do it. Thus everyone else is limited to using some reasonably mature tools and databases, and winging it for the rest.
The ways to wing it are less well-defined. There’s beginning to be some clear advice for security professionals how to relate to developers though not yet industry convergence; many services are still not secure-by-default; and APIs, online advice, and self-help security are still in their infancy.
In terms of research, there was significant US work on formal Secure Development Lifecycles, particularly by Microsoft, until 2010, when it became apparent developers didn’t like them. The more recent UK alternative, ‘Agile Security’, gives power to the developers, though the only book so far assumes the involvement of security professionals. In Germany teams led by Fahl and by Smith investigate developer learning and developer usability. In the UK, the Johnny and Jenny projects investigate aspects of Expert-less Interventions: Johnny for solo developers; Jenny for team motivation.
So there's plenty going on, but much is at the early stages of development.
These are exciting times!