Developers just don't care about security.
Most UK software development teams still use at most one security technique, and often none at all. But GDPR means that their organisations are totally liable for security breaches, so it is vital that their developers do implement secure code.
So how do we help them?
Despite the risks of insecure software, software security is not a part of most software development teams' work. They don’t even teach it much in university, yet.
Many developers and testers won’t have encountered it at all, or will consider it something for others to handle. Or maybe they have encountered it, and consider it too expensive or painful to confront.
So How Do We Change This?
If we want our team committed to improving software security, we need to change that mindset. In particular, we need to address the problems in ways that are meaningful for the team, in the context of the work they’re doing. But how do we convince them that security isn’t ‘somebody else’s problem’? How do we motivate them to start taking it seriously?
We need an incentive...
The Developer Security Essentials Incentivisation Workshop
In the Developer Security Essentials package, the Incentivisation Session uses the Agile App Security Game. It doesn’t need security expertise to run, making it suitable for teams who don’t have security experts available.
The Agile App Security Game involves groups of up to eight people all taking the role of Product Manager for a mobile application development. The facilitator has the role of ‘games master’, following instructions provided in the game. The players chose ‘security story’ cards for each development cycle, and then discover, based on the outcomes described by the facilitator, how successful they have been in deterring security threats.
As well as helping participants to learn about security, it is good fun and enjoyable to play.
The game introduces very effectively the principle that the Product Manager is the one to make decisions about security cost/benefit trade-offs.
The game does have limitations. It doesn’t consider privacy aspects, and concentrates on relatively anonymous threats, ignoring others (such as insider fraud and customer repudiation of transactions) that might be equally valid. Often the facilitator will say as much at the end of the game.
You could lead a session yourself! Download full instructions for the Agile App Security Game below. Or learn more about Developer Security Essentials here.