Six years ago, I was running Penrillian, a 20-strong company devoted to creating leading edge software for mobile phones. Penrillian's customers were mainly mobile operators (‘carriers’), and we were delighted to receive the commission to produce the first commercial Android mobile money application. Our knowledge of software security was sketchy, so naturally we went to the internet to learn how to tackle secure software development. We found a good deal of information on how to use low-level APIs correctly; instructions how to sign apps; and a lot of horribly-detailed descriptions of ‘All The Things That You Might Do Wrong’.
Nowhere could I find a friendly step-by-step introduction to creating and verifying software design that would satisfy a given set of security needs. I was horrified at the omission, and when I had the opportunity to return to the academic life, I joined Security Lancaster and chose this as an area to study.
Two years later, NCSC, the government agency tasked with improving Britain’s cybersecurity, challenged the Developer-centred Security team at Security Lancaster to research interventions for software developers. They asked what would make a good intervention to help a software development team achieve better security; how would such an intervention work with different types of team and culture?
To find the answers, I first asked a range of some of the most successful people working to help software developers produce secure code, and analysed how they did it. I looked for positive approaches – most security experts love discussing attacks and failures, so this was harder than you might expect!
Based on that analysis, I put together a package and have been trialling it on a variety of development teams; I call this package ‘Developer Essentials’. I’ve conducted highly-structured trials with several companies and improved the package from the results. This book describes both the Developer Essentials package, and explains why each step is important, and how you might want to take it further.