Why should we do games and workshops rather than just telling developers what to do or teaching them ‘capture the flag’ skills?
To answer that, consider that for many years, software security has naturally been dominated by ‘security experts’, specialists whose job is to seek out vulnerabilities in software and encourage developers to fix them. Such experts will tend to regard developers as lazy, since they are the ‘cause’ of the security vulnerabilities. So security experts will look for ways to ‘motivate them’ to do better security.
But in our research we found another side to that story. From the point of view of developers, security is only one part of a complex daily story of demands, requirements, priorities and problems. Indeed, we found that virtually every developer we worked with would prefer to create secure code. But in the context of everyday work, things are not so simple:
- It’s difficult to get a handle on what it means to write secure code;
- Different aspects of security are relevant in different situations so it’s easy to waste effort on the wrong things;
- Developers may not be able, or feel able, to get the financial or time resources needed for security from management.
Developer Essentials addresses each of these three issues in turn:
- In the ‘Agile App Security Game’, developers learn that security is understandable, that trade-offs are inevitable and vital, and that there’s no need to worry about achieving perfect security, because it’s impossible.
- The ‘Threat Assessment’ workshop provides a structured discussion about the developers’ own project; often participants find their security requirements very different from what they had previously thought.
- In the Prioritisation workshop, developers (and if possible, Product management) work out how to represent the value of different security changes in business terms, so that product management can make informed decisions to prioritise security changes against other changes.
The results, as we have analysed objectively from using the Essentials package in nearly a dozen organisations totalling over a hundred participants, is always worth the participant time cost of the workshops. To paraphrase a 1980s advertising slogan:
Nobody knows all the secrets of Software Security, but we at the Majid project know a few…