 |
» |
|
|
|
Developers are smart, independent thinkers that need solid reasons to develop with software security in mind. Here are13 ways to get your developers on board with security and ongoing security training.
1. Find at least one developer that knows and values secure coding. This person will be able to lead and mentor other developers to minimise software security flaws.
2. Perform or subcontract a security assessment to determine where weaknesses currently exist.
3. Get your developers the security training they need on an ongoing basis.
4. Through the security training, show your developers what national and international standards bodies are doing regarding software security.
5. Give developers access to the security training they need, including tools in the areas of software security analysis and remediation, and the often overlooked threat modelling applications.
6. Create a development library for ongoing security training that can provide quick reference to various software security.
7. Collaborate with your developers during security training to create formal software security standards and policies along with a set of metrics to ensure they’re properly implemented and maintained.
8. Tweak your software development process where possible and try to include security training. Many developers are set in their ways and don’t follow a formal structured development process, but it certainly can’t hurt to provide training and make adjustments where necessary to facilitate more secure development processes.
9. Set new standards for all new code moving forward rather than forcing your developers to go back and fix old code. This is especially important if older code is going to be phased out in the near future.
10. Make sure your developers receive security training on the business risks related to software security and what’s at stake for your organisation.
11. Try to support your developers when they request a specific development platform or language to use. Many security flaws are introduced when developers have to learn a new language or support a new platform.
12. Include software security requirements in your developer’s formal job descriptions. Hold them accountable, and reward them for when they go beyond what’s expected.
13. Ensure there’s solid communication between marketing, product management, development, and information security. Properly setting expectations and realistic deadlines is required for effectively integrating software security.
You’ve got to approach getting developers on board with software security and as a long-term process. If you start slowly and work towards establishing a security-conscious mindset in your organisation, you’ll eventually see positive results.
|
|
|
|
Printable version
