7 steps to improve developer security
September 2, 2021
0 mins readEmpathy — that ability to understand what others are feeling — might be the secret ingredient when it comes to successfully shifting security into the developer world. Snyk co-founder and president Guy Podjarny hosts The Secure Developer podcast, and in interview after interview, guests have repeatedly spoken about how empathy, understanding, and a bias toward action are the biggest components of a successful developer-first security culture.
The advice Guy received boils down to seven practices companies can follow to smooth and improve their journey to developer-first security.
1. Be present
In order to truly bring security and development together, it’s important that both parties remain actively involved and engaged. Not only will engagement promote empathy and understanding, it will also help build the relationships that are critical to a successful culture change, says Jet Anderson, the “Code Doctor” and Developer Advocate at Nike. In Security Education With The Code Doctor (ep. 98), Jet explained why he makes an effort to be at developer team stand-ups and community meet-ups. “I go to their community meet-ups, talking about whatever they're interested in and so forth,” Jet says. “I think that's where you find those developers, but it also requires a cultural change, right? You have to have developer-minded security professionals in order to go find the security-minded developer professionals.”
Amanda Honea-Frias, a Security Architect in Cisco’s Security and Trust organization, tries hard to practice empathy in all areas of her work. In Security In Small And Big Organizations: The Hyphen Between Security And Development (ep. 87), she spoke with Guy about why it’s so important to put in the time with developers. “Having that direct connection, having lunch and learns, having office hours, and really talking to them and where they work... building those relationships, heck, going out for coffee, treating them like actual peers, instead of segmenting security away from development,” she says. Those are efforts that will completely pay off.
2. Embed security in development
Yashvier Kosaraju, Manager of the Product Security Team at Twilio, told Guy, in Level Up Your Security Champions (ep. 66), that it’s important to bring security into development, rather than the other way around. “I look more for a passion for security rather than a specific skill set... the broader sort of requirements you need to be able to write code,” he says. “It doesn’t have to be production-level code but... the main sort of criteria that we hire is empathy to work with developers. I would want someone who can partner with them, versus give them a list of requirements to accomplish. We can up-level individuals on these [technical] skills but we cannot really up-level them on the empathy factor. So that comes first in my books.”
At Datadog, the strategy is similar, says Douglas DePerry, Director of Product Security, in Prioritizing The Communication-Factor In Security (ep. 52). “Culture is a very important part of Datadog... in how we do things and how we treat each other and work with each other,” he says. To help that along, Douglas embeds security pros in development teams to bring about a shared understanding. “We can learn about how that particular team works better, we can provide them some value by fixing some bugs or just having someone that’s sitting there that can just bounce questions and bounce ideas off of.”
3. Find the champions
The benefits of a security champions program are well-known, but in The Future Of Security Teams And Champions (ep. 84), Nick Vinson, DevSecOps lead at Pearson, tells Guy that it’s important to keep things fresh and interesting. “Since we've been delivering regular training and attack demos to our security champions program, we've seen the enthusiasm for that increase dramatically and with the willingness of developers to nominate themselves to be security champions too,” Nick explains. And the more security champions there are, the better view into the development world Nick’s team can manage. “The more security champions we have, the more developer feedback we're getting. That's helping improve what we're doing in terms of the security capabilities and testing functions that we're providing.”
4. Understand the code
In Optimizing Team Communication (ep. 41), Sara Dunnack, a Security Engineer at InVision, says that your security pros need to understand the codebase they're securing. Without that, she tells Guy, there’s simply no credibility. “Everyone on our team is really developer-first and security-second, obviously strong security, but you need to be in the code,” she says. “I think that's the biggest thing that many security folks may not think about, especially if you come from the sysadmin side. You need to be able to get into the code and truly help the developers, and show them the specific line. Like, ‘On this line you need to do this.’"
5. Be patient
“It’s not us versus them, it’s us together.” That’s what Siren Hofvander, CSO of Cybercom, tells Guy in Positive Security (ep. 34). She’s firmly against the idea of security just being for “those in the know” and stresses that empathy will go a long way to improve any company’s security posture. The security team’s role, she says, is to walk the walk right next to developers and to accept that it is going to take time. “Because as a supporting function, we have to keep showing up,” she says. “It might take three months for the development team to lower their guard and really let us in, but once that's done you can have year after year a positive relationship with that team.”
6. Meet them where they are
Nike’s Code Doctor Jet is also adamant that security/developer communications have to start and end on equal footing. “If we’re not really intentional with cultivating their knowledge and giving them the information that they want at a deep technical level, then we're not adding value.”
7. Measure success
Can culture creation’s success or failure really be measured? The answer is a resounding yes, according to Cisco’s Amanda Honea-Frias. She approaches empathy and culture building with a clear plan, so naturally she needs to evaluate how she’s doing. And she tells Guy that surveys not only measure but offer another way to keep feedback coming. “Basically, [we’re focused on] keeping the channels open, sending surveys is one,” she says. “Any way that you can get feedback, or talk directly to developers on what they want, instead of what we want.”
Find The Secure Developer anywhere you listen to podcasts.
