You need to find out as a team what the threats really are for your project.
Once your development team has an understanding that software security is relevant for your organisation, and for them, you need to address how to go about making a difference.
But how are they to do that? To answer that, we recommend you first lead your developers to a different question: not how but what.
There’s a widely used, approach to using external people to improve your software security. It’s called ‘Penetration Testing’. Discover how it works...
Penetration testing, also called pen testing or ethical hacking, is the practice of testing a computer system, network or web application to find security vulnerabilities that an attacker could exploit. (SearchSecurity)
Would it make sense for you? Lets look at the advantages and disadvantages of the approach, and then at where you might go next to set it up.
Developers just don't care about security.
Most UK software development teams still use at most one security technique, and often none at all. But GDPR means that their organisations are totally liable for security breaches, so it is vital that their developers do implement secure code.
So how do we help them?
Remote working used to be the exception rather than the rule. But now like it or not everyone is working from home. We all have to make the effort of learning to use video conferencing and sharing technology effectively. And that opens up wonderful opportunities.
Why should we do games and workshops rather than just telling developers what to do or teaching them ‘capture the flag’ skills?
To answer that, consider that for many years, software security has naturally been dominated by ‘security experts’, specialists whose job is to seek out vulnerabilities in software and encourage developers to fix them. Such experts will tend to regard developers as lazy, since they are the ‘cause’ of the security vulnerabilities. So security experts will look for ways to ‘motivate them’ to do better security.
Learn how to use Microsoft Word to create an image or table with a caption, that stays near the text that references it.
As an author, I usually need to put images and tables into my documents. And like millions of others, I use Microsoft Word as my editor of preference, so it's vital to know how to use it well.
I love being able to sleep at night. I like it that I can be pretty sure nobody is going to break in and attack me, that my children sleep safe and my possessions are likely to remain mine. In fact, I value my security very highly indeed, and I’m prepared to pay a lot to get it. I’m sure it’s the same for you.
In fact, security and privacy are valuable to almost everyone. So why have we traditionally presented software security as a negative thing, as a tax on the cost of software development?
There’s a lot of nonsense written about passwords. I recently encountered a post exhorting everyone to make an ‘uncrackable’ password by taking a phrase and putting random symbols before, in place of spaces, and afterwards. Uncrackable such a password might be, but unmemorable it certainly will be. Imagine having to remember a different such password for each website you use!
Recently I faced a problem: where should I publish my research? Previously my venues had been suggested to me by experts, the professors whose guru status in publication was not in doubt. But now it was my own decision.
So how had these experts made their decisions?
Last week I sat down to figure out what's really going on in secure software development: 'Developer-centered Security'. I used a technique by Simon Wardley, which is great for showing a whole industry at a glance.
Many developers expect their main software security problem to be attackers from North Korea using technical software weaknesses to gain access to files in the system such as lists of passwords. But Facebook's biggest security problem ever was a decision to quietly give innocent looking semi-public data to an academic researcher at a firm of analysts. Many other companies have equally found that their security problems are far from what they might have expected.
Recently I’ve been working on the Secure Development Handbook, the most important part of this website. So here I'll ask the author’s question. How do we improve it?
Many of us learn best from games, preferably games that are fun. This section introduces three games, each of which has been devised by security researchers and used in a variety of commercial situations.
All work with agile development techniques, and all three are free to download but need some preparation, so I recommend you take a look before inviting all your colleagues to a session.
This week I’ve been at the IEEE SecDev conference in Boston. It’s been a eye-opener; I had not realised before just how many aspects there are to secure software development: toolchain improvements; what can senior management do; resources available to developers; patterns for secure development; language design to prevent time-based oracles; using strong typing to enforce security; log analysis; automated threat modelling – we heard about research on all of these.
Here too, I had the privilege of organising a Birds of a Feather session. This time I asked the question raised by the paper I was presenting: given developer resources on security tend to be inadequate, how are developers to find out what they need to know?