Why I’m not teaching developers how to do security…

Yesterday my wife Julia asked me a simple question: how important do I think software security is in the world; how big is the problem to solve? Rather to her surprise, the question perplexed me, and I gradually explained that my job wasn’t solving the problem of software security. The ways to achieve software security are well-known. My role is helping companies and developers decide how much security they need, and how most effectively to get it. In fact, my job is to help companies answer the very question she asked me, for themselves.

 “Oh,” said she, “then why doesn’t your website say that? It says you’re telling developers how to do security”.

 

“Oh dear,” I said.

 

So now I have the task of completely recreating our website to emphasise that the work we are doing is about the decisions of how much security to put into a software product. Those decisions are about risk, about impact, about security marketability, and about cost. And they require transferring knowledge, from the technical staff who can identify security and privacy problems, to the managerial staff whose job it is to make resourcing and financial decisions. Yes, everyone makes security decisions: product managers make decisions; line management make decisions; and developers themselves make such decisions every day in the work they do.

 

And that is what Developer Security Essentials is about.

 

- Charles