According to Protego Labs' Solow, the role of a security software engineer is not necessarily a novel idea. For a long time security teams have employed stray developers now and again to create scripts and build out security systems for them. But they tend to pigeonhole these specialists. Rather than starting with developer new hires, he suggests security managers set out to retrain the ones who may already be hiding in the proverbial basement.
"Organizations have known they needed an engineering team to build stuff for them, but those developers were never part of the policy-making or a part of the larger security practice," he says. "You probably have some really talented developers that know security. How about finding an expanded role for them? Embrace the developers you have at home first — that's going to be the quickest win."
These existing resources can then be the vanguard for setting new application security policies and procedures before adding new developers to the security team's ranks.
Democratizing Security Across the Development Corps
Of course, hiring developers internally to the security team is just the start to making the most headway on cyber-risk. The whole point of getting that internal help from devs is to leverage them as force multipliers. A small team of security developers can be leaned on to start the collaboration necessary to extend security into the hearts and minds of all of the other nonsecurity developers out in the organization.
"The only way for security to scale is by enabling the rest of the business to be security self-sufficient," Lackey explains.
The biggest security salvation for large enterprises lies in the power of developers at large — the software engineers delivering software to business stakeholders and customers. Security cynics may say these developers don't care about security, but that has never been true.
"Developers care about creating a high-quality product, and they're well aware that if their product gets hacked, then that's not quality," says Tanya Janca, CEO and co-founder of early stage startup Security Sidekick and a former application security advocate at Microsoft. "But I also think that most of them feel pretty frustrated and overwhelmed that they don't know all the things they need to do or have the tools to do them. From what I see, there's little to no support for them."
As an example, Janca relates the story of a place she worked at a while back where the developers "rolled their own crypto because they couldn't get a straight answer from the security team about what to use."
This brings home the role that security should be playing to help all developers in the organization fulfill their own drive and desire to deliver quality (and, consequently, secure) software. Rather than being the gatekeepers of yesteryear, Maccherone says security should be coaches and toolsmiths for developers.
"We start off by saying, 'Security trusts you.' We trust that you are close to the business and will trade off security risks with other risks, and that's OK. We want to make sure you understand what you're doing when you make that trade-off," Maccherone says. "We're going to advise you on that risk and also lower the cost of you adopting these right practices.
This makes it possible to democratize a lot of the daily security work out to well-trained and well-supported engineers on the ground. At Comcast, the security team has done so with a systematic training program that has had the security team scale out security training and build up security champions across hundreds of development teams and legions of developers using just a small team of security development enablers.
- A Security-First Approach to DevOps
- Staffing the Software Security Team: Who You Gonna Call?
- 3 Reasons to Train Security Pros to Code
- 7 Deadly Security Sins of Web Applications
- The 2019 Security Buyers' Guide (from Akamai)
(Image: maciek905 via Adobe Stock)