How to Educate, Train and Empower Developers in Security
Calling all developers! The time has come for you to take responsibility of your application security. This may sound daunting to some of you, but don’t fret! There are many resources, tools and practices that will guide you on your path to DevSecOps greatness. In this blog post we will showcase some episodes from The Secure developer, an interview-style podcast run by Snyk’s very own CEO, Guy Podjarny. The podcast has been running for well over a year already and Guy has interviewed some of the top thought leaders in our industry, including Chef CTO, Adam Jacob, DevSecCon founder, Francois Raynaud and Redmonk’s James Governor, to name a few.
By now, we all know developers are the new kingmakers. Those who do not focus on the needs of their developers while listening to their advice will find themselves chasing their competitors. With this in mind, how can we as an industry, or as individuals, empower developers to give them enough knowledge and authority to handle security effectively? To answer this question, I’ve picked out a few episodes from the podcast series in which Guy quizzes various security teams, to shed some light on how this can be achieved.
Empowering Developers in Security
Episode 1: Prioritizing Secure Development
In The Secure Podcast’s debut episode, Guy is joined by Kyle Randolph, Principal Security Engineer at Optimizely, who was their security hire. Kyle and Guy discuss how to build good security practices while creating champions inside the security team, as well as the importance of being close to engineers. Kyle also covers the sometimes difficult but always important task of prioritizing security in your engineering organization. Kyle shares stories from his time at Optimizely, Adobe, and Twitter.
“Being tied in to engineering, you know what’s being built, you know what’s on engineers’ minds. It’s much easier to gain influence over engineers and also have them come to you.”
“Chances are, if they’re interested in and passionate about it, they’re going to be much more productive working on it than if it’s assigned to them.”
Episode 11: Keeping PagerDuty Secure
Guy is joined by Arup Chakrabarti, Kevin Babcock and Rich Adams from PagerDuty. They discuss how they put into practice their security vision of “making it easy to do the right thing”, by building tools to increase security automation, being transparent, and empowering developers. This involves picking the right tooling and designing a security experience that doesn’t force people to do things, but rather provides insight into how vulnerabilities can be exposed. Giving people the opportunity to break things also creates a strong desire to want to then protect those things.
“So rather than giving people a list of rules, we framed differently by showing “here’s what attackers do, here’s how you break passwords”, and demonstrated it with some fancy animations and people were more engaged that way.”
“One way that we find you can get the entire team involved is by using this rotation and dispatch where, when a particular problem comes in, whoever’s up on call is going to have to understand and take care of the problem.”
“A lot of the security tools make implicit assumption that you have an army of security and analysts available.”
Episode 13: How New Relic Does Security
Guy talks to Shaun Gordon, Chief Security Officer at New Relic. Shaun tells us how he got into a career in security (after having a developer background) and explains how the role of security has evolved at New Relic. He reveals their philosophy of adapting security processes to fit the way developers do their job and emphasizes the importance of exception alerts, scorecards, and automation to support a rapidly scaling organization.
“I was never that sort of traditional hacker who liked attacking things. I never got those skills formally anywhere. I just sort of backed into it and really have approached security as a developer, as a defender from day one.”
“I have a philosophy for my team, which is I want to change the way we do security to fit in with the way the developers perform their job.”
What You Should do Now!
You’ve clearly got a an interest and a taste for being a secure developer yourself, or empowering your developers to be responsible for security. If this is the case, be sure to sign up to the Secure Developer podcast and listen to the newest episodes as they are released! Also, if you’re keen to empower your developers with the necessary tools they need to be efficient at finding known security vulnerabilities and bad licenses as well as remediating any issues, be sure to check out Snyk, which has free, unlimited tests for open source projects.