Feb 06, 2017
Struggling to improve your application security? Here's 3 things secure application developers need from your security team.
In most organisations, there's a serious disconnect between developers and security. Both teams work hard at their respective roles, but without the time and infrastructure necessary for effective collaboration, a significant amount of bugs and vulnerabilities make it into finished applications.
To help you improve your application security, and reduce the costs of remediation, I'm looking at 3 things secure developers need from your security team. 1) Clear Communication
Regular security tests are an essential tool for improving application security; but for most developers, security reports are complex, jargon-filled, and difficult to understand. For developers to take action on a test, and reduce vulnerabilities, they need security to provide context to their findings.
Whether it's a buffer overflow problem or a case of SQL injection, most developers lack the security team's specialised knowledge. Before any remediation can take place, the security team need to help developers understand the problems they've found, and offer advice on which problems need to be tackled first. 2) Remediation Advice
In most cases, the remediation advice offered by static testing tools leaves a lot to be desired.
Application vulnerabilities can be complex, especially when remediation has to abide by the organisation's own unique development standards. Without security education, few developers will have the knowledge necessary to remediate against vulnerabilities. Without the education or resources to solve a problem, vulnerabilities are left unchanged - and the next time the application is tested, the same problems reappear.
Wherever possible, security teams need to offer explicit remediation advice to developers. Their advice needs to be role- and development language-specific, and contain real code examples for developers to follow and learn from.
It's fair to say that few security teams will have the time or capacity required to provide explicit remediation advice alongside their test findings. In these instances, it's vital to establish a training knowledgebase - a centralised repository of security artifacts, insights and education.
As well as allowing developers access to information and education whenever they need it, a knowledgebase allows the security team to point developers to actionable, role-specific remediation advice and real-world examples - without wasting time on epic emails and in-depth advice. 3) Empathy
For most developers, security simply isn't a priority.
In the majority of organisations, developers are hired to create functionality-rich code, as quickly and cost-effectively as possible. They have to meet incredibly tight deadlines, and constantly improve and iterate upon their code in the process.
They get judged on the efficacy of their code, and not its security: and any time given to security education or code review is time that isn't spent serving their primary objectives.
Security teams need to understand the challenges faced by developers. They don't 'overlook' security out of stubbornness, or choose to ignore the security team's feedback: they simply don't have the time or resources to make security a priority.
Thankfully, security education and eLearning courses can help developers overcome these challenges. With a bit of empathy from the security team, the dynamic between security and development can be improved - and application security can be completely transformed.
Security education is a key component of application security. To learn how to roll-out an effective application security program in your organisation, download our new guide below.