Zephyrnet Logo

The Security Champions of the Developer World

Date:

Click to learn more about author Anne Hardy.

Organizations that want to secure applications are challenged by understaffed security teams and a lack of security awareness on the part of developers, reports Forrester. When developers do understand the importance of security and how to incorporate it into their work, they are security champions — often acting as security points of contact in their teams.

Forrester’s definition of a security champion
is someone who is “a member of the development team, focused on translating
application security into a language that the rest of the developers can
understand.” It seems that these people would exist naturally, but given that
developers are often not taught how to code securely, it’s up to company
leaders to shape these developers into people who represent the best of both
the development and security worlds. Further, the line between developer and
security roles is blurring, and we need a better bridge between the two.

Existing programs that support these champions are expensive and time-consuming to plan, but they don’t have to be. In order to create an effective developer security champions program, organizations must understand the importance of security programs and instill a security culture — in turn creating more secure applications.

The
Importance of Security Programs

Application security flaws have been the top causes of external breaches for a long time. If security is on the backburner for any company, there can be severe consequences. For example, online liquor delivery service Drizly experienced a data breach that affected as many as 2.5 million customers who had likely recently started using the service while sheltering in place. The data taken by this hacker included email addresses, birth dates, passwords, and even delivery addresses.

A recent Synopsys study found that nearly half (48 percent) of organizations consciously launch vulnerable applications when they’re under a time crunch. It’s clear that developers are one of the main culprits for security issues, and they know it. But it’s not necessarily developers’ faults — it’s often their companies’. When company leaders work to ensure their developers understand the importance of security, developers will pivot from culprits to champions.

Security champions make fixing security issues across development teams a priority. The program creates a single point of contact for security issues in a given team, which makes it easier to query a security issue or follow up on a given task. It also makes a single person (or people if there are multiple champions) “responsible” for security on the team, which helps to create a sense of ownership of security issues and makes it less likely that fixing security issues will be delayed or deprioritized. Project owners need to buy into the concept and allow security champions to prioritize fixing issues over getting a new project out quickly.

How to
Build an Effective Security Champion Program

There has often been a disconnect between
developers and security teams. While security teams are focused solely on
security, developers are focused on building products. However, to avoid
breaches like the one Drizly recently experienced, it’s imperative that company
executives work on bridging the gap between the two and instilling a security culture.

Succeeding in finding the right metrics and
weighing the value of each security practice, whether technical, procedural, or
organizational, would help to better assimilate the culture of security. This
should be the first step so that everyone feels that security belongs to them.
From there, security awareness is key. Over communicating is important, as
employees will move around, new people will start working at your company, and
people will simply forget. Security needs to be at the top of everyone’s minds,
so they make it a priority.

Security champions should bridge the gap
between development and security teams to ensure objectives align. With
security teams, it’s easy to protect and block threats because the job is to
ensure nothing bad happens and, if it does, recovery is quick. But this doesn’t
always align with developers, who want to develop products fast and aren’t
being asked to build in security or fix security issues along the way.

Security champions must present the program to
the development team and work with project managers to keep security at the top
of their minds throughout the product development process. There should be a
clear and consistent way that the teams will communicate and collaborate.

It’s critical to make sure that security
champions are not overwhelmed with security issues on top of their other
responsibilities. Being a security champion should be baked into the developer
job, not an added thing to manage on top of regular responsibilities. It’s
difficult for the program to really take off if it feels like a burden to the
champions who are carrying it.

Incorporating incentives for security
champions can help. Companies should consider tying bonuses to the metrics they
are able to hit within this role. They should also encourage their security
champions to upskill and seek security certifications if they are interested.
Giving security champions the opportunity to attend security-related
conferences could also be a good benefit of being a security champion.

Company executives must instill the importance
of security and security culture within their organizations. Once they’ve done
this, they will have the tools to build an effective security champion program
and confidently present it to their teams. Security champions will ensure
applications are more secure, and developers are happy — avoiding flaws that
lead to costly security issues.

Source: https://www.dataversity.net/the-security-champions-of-the-developer-world/

spot_img

Latest Intelligence

spot_img