Web Application security often focuses more on software than it does on people. That can be a dangerous approach. Why? Because at the root of every security success or failure is a person or a team of, namely software developers.
Your developers are key players in the web application security equation. They are often the unsung heroes who help prevent many security problems from ever occurring, or closing down web vulnerabilities once identified. Yet in the real world they are often portrayed as a large part of the security problem. It doesn't have to be that way.
Many, arguably most, software developers are analytical thinkers. They see business issues and technical challenges from a logical perspective. This approach to problem solving is exactly what's missing – and what we need more of – in order to improve web application security over the long haul.
So how can you get, and keep developers on board with web application security once and for all? It's not that difficult. Here are four things you can start doing today:
- Explain the "why" of application security in terms they will understand. It's not about bits and bytes or encryption or input validation but rather the business. Show them the standards and regulations (i.e. NIST 800-53, PCI, or OWASP Top 10) that must be complied with. Explain that the business has to produce secure software for reasons X, Y, and Z and here' s how they impact you in your position as a developer.
- Encourage developers to focus on specific areas of security that have been the most problematic for your organization and others. The OWASP Top 10 2013 is a great place to start but you'll have other areas that are unique to your business. Share security research reports and statistics with them to show the impact web security flaws can have on your business. Find out your own unique pain points and come up with ways for management to incentivize web application developers to make sure those pesky web application security vulnerabilities aren't introduced into your web applications.
- Find someone on the development team that you know is willing to take the lead on software security. Some developers will be better at this than others. It should be obvious who the best person is to help evangelize security initiatives within the organization. Work with this person so you can both demonstrate that security matters and you're doing what it takes to minimize your business risks.
- Share hacking tools and techniques. Your own web vulnerability scanner is a great tool for showing how vulnerabilities are uncovered and exploited. Beyond that, a simple web browser combined with a malicious mindset can do wonders for things such as manipulating the application's login mechanism and workflow/logic. Once developers 'get' the what, why, and how of application exploitation they can change their own mindset and approach to how they develop software.
The growing focus on web application security underscores the importance of developer involvement in the application security process. Don't be afraid to step up and make things happen. If you don't, odds are no one else will until they're forced to, and that's not good for business.