How to grow a secure software culture from the inside out

Secure software development depends on a culture of security. Here's how to cultivate the right mindset.

By Eric Baize, vice president, product & application security at Dell Technologies

The average software delivery project is a heavy lift. Getting code bases thousands or even millions of lines long into production can leave developers exhausted. Making that software secure is even more difficult, especially when many software engineers are not trained in security.

And yet the responsibility lies with developers. They are accountable for the quality and the performance of the code they create. They’re also responsible for its security—particularly in this hyper-connected world, where one of the most important elements of quality is security.

Security isn’t achieved by secure coding alone. Businesses need to look at people practices first, from their developers to their rank-and-file employees’ conduct and security mindset. According to our recent Breakthrough study, 62% of businesses polled regard employees as the weakest link across their cybersecurity defenses.

Your company can remedy this shortfall by creating a culture that supports secure software production, starting with the development team but eventually pervading the whole organization. Here’s how.

Seed the garden

Organizations can seed expertise where it matters by creating security champions within the development teams. These are developers who are accountable for secure-coding practices (incorporating the creation of the code and its testing). They effectively become the companies’ embedded security experts and security evangelists.

Formalize security skills with a framework that awards training with levels of internal security certification. That differentiates secure development skills for managers assigning coders and testers to your projects. At the very least, you can establish a minimum required level of skill for all developers.

Grow the garden

Security culture shouldn’t stop at the development team. Everyone plays a part in building a more secure software portfolio. You can help developers in this mission by instilling security awareness in other disciplines involved in the product lifecycle.

Security begins before a new product or feature is released. It should be a priority for product management, sales and marketing. Harmonize agendas between these teams—they should not attempt to sacrifice security by pushing for feature updates that could compromise security.

And then coach your support teams to work closely with your product security incident response team (PSIRT). They need to be able to differentiate a bug from a vulnerability. In their interactions with customers, once they spot the latter, they need to share that intelligence from your PSIRT. Establish a process to prioritize and funnel that information accordingly.

This expansion of security culture outside development to everyone touching a product creates many moving parts. It’s a complex discipline that takes a company-wide effort to manage. That calls for effective governance.

The security team is your unifying force here. As its core focus is security, it must bring together all stakeholders for whom security is a tangential concern, unifying them in a common effort and holding them accountable.

You can create various mechanisms to support this, including online collaboration and workflows. Weave security into the fabric of your organizational culture. For example, Dell uses cross-department, security-focused town hall sessions to help promote a security culture across the board. Hosting security awards adds powerful incentives and pairs developers with security mentors.

Nurture the garden

Growing a security culture is a multi-directional endeavor; you must also grow it upwards. A security initiative needs support from the top to make it a priority. However, that requires visibility.

Engaging and raising awareness among mid-level management and senior executives is crucial, but it’s just the first step. You must ensure they can measure cross-departmental security progress. That means integrating security metrics into reporting dashboards to make your security stance visible and key stakeholders accountable. Those metrics could include everything from the number of vulnerabilities fixed to security training completed and certifications issued. Ideally, this doesn’t mean new security dashboards but, rather, the integration of security metrics into existing product quality and governance dashboards and management constructs.

Become a neighborhood garden

After growing your security culture outwards and upwards, the next step is to build beyond. Communities of practice (CoP) can extend beyond your company to include other groups. These could include local security user groups and industry organizations, along with cross-sector nonprofits that research and promote security in code.

A CoP is a powerful force in shaping and promoting a culture of security. It encourages information sharing and creates a cross-industry view of problems and solutions.

The global Forum of Incident Response and Security Teams (FIRST) is one such community. It is a group of security professionals from around the world that exchanges information and resources about security and response information. It runs technical events and operates special interest groups on a variety of security topics. Another is SAFECode, an international nonprofit that focuses on creating software security programs.

Technology alone won’t improve software security. Security-conscious cultures derive from people and processes. Building them means addressing people’s perspectives and priorities.

Developers and security teams are accustomed to binary problems with clearly discernible outcomes. They can find the interpersonal challenges of cultural change difficult. Nevertheless, an iterative approach will stack up and support a consistent, secure development lifecycle—a community of security that is more than the sum of its parts. Plus, it’s an imperative. With the chronic shortage in software security talent and the rise in attacks, businesses will have to look internally and train up salaried employees. Waiting for the next elusive hire could leave your organization partially undefended and vulnerable.

Lead photo by Rohit on Unsplash 

This article is the third in a four-part series on secure product development.  Be sure to check out the rest of the articles in the series:
Why your coding team needs to use a secure development lifecycle
Catching bugs on the loose: vulnerability management for software developers
How to secure your software supply chain when using open-source technology