The thing about being a security consultant is that people are always looking to you for the “secret” to building a secure digital anything. And by “secret,” they usually mean “shortcut”.
There is one simple secret to building secure applications. Unfortunately, that secret is time. There’s no shortcut that can replace time being explicitly dedicated to security from the very beginning of an app’s development. As the opera singer Beverly Sills once said, “There are no shortcuts to any place worth going.”
To explain why allocating time to secure an application is so important, you must understand the undeniable value of moving security to the “left.”
This isn’t a game
When it comes to securing software, “leftism” is not about electoral politics, but may in fact lead to serious policy discussions within product management. It refers to the time axis of a product’s development. The further left an action is moved, the closer it is to the early phases of development.
Moving left looks different at every company. Many companies do threat modeling, for example, very early on—a rare occurrence just a decade ago. You can go even further left if you consider security within product management. And when you’re considering security as a part of epics or the business value increments that you’re going to work on, that’s kind of as far left as you can get.
The culture of an organization influences how far left the process of securing an app can go. The security team may want to pull security farther left on the timeline, but that would require the product development group to also want to play ball. These internal politics amplified by the stress of pressure to deliver new features and other product demands can be the enemy of leftism.
Done right, shifting left will help an organization avoid what’s known as “level boss” testing. If you remember old shoot-’em-up games where there was this great big enemy, you had to clear that before you could move forward. If you beat the boss, great. If not, you had to start where you left off.
This all-or-nothing approach is great for gaming but the way it works in app development is that if you fail once, your app’s whole schedule is blown. Fixing these issues will steal time from work on future features and the blame—whether people admit or not—will fall mostly on the security team. Even if the “team” is one lonely lead dev who took on responsibility for security out of good intentions, and because no one else would.
Good leftism respects developers
One thing I constantly try to remind myself is that developers have an extraordinarily difficult job. Personally, I think the job these coders are doing is much harder than, say, being a security consultant. It’s much easier to find a security bug than to get a whole piece of software to work in the first place.
That’s why I think it’s a big mistake to focus only on developers when we talk about moving left. Product management, product owners and anyone else on a project who owns the resources likely have far more to say about what developers do with their time than those who are putting the product together.
If you are an in-house security person, it’s very helpful to have a clear understanding of the demands on developers—including performance, cost, and incredibly tight timeframes. A security professional who’s never done any commercial software development might not have any insight how difficult it is to make a small change. Without this clarity, you may only see a change as a 15-minute job and ignore all the bureaucracy, testing, and heartache that make any update very time-consuming.
Whenever possible, consider staffing internal security functions with people who have some software development experience. This familiarity with actual coding and app creation will help your team empathize with the agonies developers face. And it will help you fight for the thing developers need most, which—hopefully you know by now—is time.
I wish making security a priority was as simple as putting a “Remember security!” Post-It note on the screen of everyone working on a project. But true respect for security requires an explicit time allocation. In most organizations, this means that security needs to be ticketed on the backlog, like any other development activity.
If there were a simple way to convince everyone to do this, I wouldn’t have needed to write this column and you wouldn’t have needed to read it. But I know it’s possible because I see organizations every day moving left and allocating the time required to do so. This requires buy-in from product management, the immediate product owner, and just about every decisionmaker involved in a project.
And when they lean left, everyone who makes and uses an app will benefit.