Once you've done the initial work thinking about security, it's vital to help developers achieve security day to day. How, though, can you do that?
One of the best ways is to introduce a ‘security champion’. There are several options: specialist secondment, expert secondment, and home grown – as follows.
If you have available security experts who are not themselves developers, they may be able to work directly with the developers to sensitize them to security issues and address those issues in practice.
Our advisors... we actually plug into different parts of the service teams, the engineering teams, and they work as security subject matter experts. And they are highly skilled security people. They are people who couldn’t write a product but they certainly know everything about [specific security features], and how would you do that at scale, how would you do the threat modelling. (Security team leader, SAAS multinational)
Another effective approach is to get someone from a different part of the organisation, or outside, who has worked on a successful secure project and understands how that was achieved: expert secondment. One company that specialises in secure development even offers this as a service for their clients.
We send people on site, and we embed them into other teams. The normal outcome, and I can’t think of a situation where this hasn’t happened, is for them to export our processes like it was the obvious thing to do – and I think it is! And for that then to be taken up by customer [developer] teams. (Team leader, security and military supplier)
If that is impractical, you may be able to identify one team member with an interest in security, and encourage them to be a ‘security champion’. This developer learns as much as possible about the subject, and then provides support to others in the team on security matters.
One thing that we find works with software development teams is … Security Champions – the idea is that one person in the team is more interested in security – not responsible – but who is the ‘go to’ person in the team if there is an issue in the team before they go to an external consultant. ... You need that person in a team, you actually do. (Security consultant & trainer)
Remember that traditional ideas of what makes a good security expert (typically, being an aggressive nerd) may not work very well nowadays: good champions are those who communicate well, persuade and evangelise.
What kinds of improvement should you interveners and your security champions be encouraging? In the next sections, we'll introduce the most cost-effective technical solutions to better security, starting with the lowest hanging fruit: components.