A couple of weeks back I had a very interesting meeting at work. After meeting a new development team and discussing security (testing), they commented on how great it was to work with a driven and interested security engineer instead of a nay-sayer. This got me thinking about the overall view of security professionals from others, and realised that we are often seen as a hindrance.
This line of thinking arose once more after reading the “Report on the 2020 FOSS Contributor Survey” [1]. The report highlights that developers of FOSS (Free Open Source Software) have the same view, that security is a hindrance, a necessary evil that has to be done. Something to not spend more time on than absolutely necessary since its just annoying and boring, something that we must strive to change.
Sure there are some times that we have to say no, but developers (and others) does often understand this if we just explain why. It is important to not be the nay-sayers in the corner, but rather get involved. In my eyes security must support the business and the rest of the organisation. Everyone has to be on the same team and work towards a common goal, whether that is a high quality software or good backups in case of ransomware.
To be able to co-operate we need to build trust and ensure good communication. I have not meet a single developer that have introduced a vulnerability with malicious intent, meaning that the best way to get him to want to work with security is to make it easy. Explain your recommendations for a reasonable level of security. No-one can protect against everything, but you must find what level of risk is acceptable in the current scenario. Are you protecting against a national state or against the everyday hackers? The effort needed is greatly different.
In conclusion, security professionals cannot be a breed for them self in a corner. They need to be visible in the organisation, promoting communication and helping the organisation take decisions that improves the security. It doesn’t matter whether the decision is made by the CEO or a junior developer, they are both as important for the overall security posture of the organisation.