How to bring security to your company mindset?

How does an internal event dedicated to security make a difference? Why keeping your security team in one place is a bad idea?

Mateusz Olejarka 2021.03.11   –   9 MIN read

No matter if  you’re a senior developer, team leader, project manager, scrum master or architect – If you have trouble implementing the appropriate security quality then this article is for you.

During the security awareness workshops I ran I had quite a few chats over the coffee with developers and they gave me unique insights into application security from their perspective – both problems they face and solutions they either think about or have implemented. Some topics were repeating so I decided to collect them all and share with a broader audience hoping that this will be useful and it will help to build more secure applications.

Below I wish to summarize the ideas related to sparking interest in appsec topics amongst developers, devops, testers and other people involved in building applications, which I discussed over the last few years. So, if you’re wishing to build or improve an application security programme in a software company this article is for you. 

I distinguished 6 different approaches to introducing security into your organisation:

  • Hackathon
  • IT Sec on the run
  • Threat modelling
  • Security Champions
  • Trainings
  • Internal Bug bounty

In this article we will focus on the first two solutions, but if you would like to check out all 6 ideas right away HERE is our playbook.

Hackathon – an event in honor of security

By the term hackathon I understand an event for company’s developers, where during let’s say 24 hours they propose, discuss & select and implement one or several components to help them work. I saw ideas like an application with an access to a camera which allowed employees to quickly tell if the coffee machine was occupied. What an improvement of the time management, no queues.

So, the idea is to create such an event dedicated to application security, it’s better when such hackathons already happen, then the one will be dedicated solely to appsec.

Pros:

  • Measurable outcome (implemented projects) – ideas which will get implemented and used can be reused and enhanced later throughout the entire company (easier to get some time for things build in hackathon than to build something from scratch)
  • Networking with developers – opportunity to talk and get to know each other
  • Demystifying security and making it “fun” and “interesting” over some snacks and beverages

Cons

  • Difficult to organize – especially if there were no similar events before in a company, takes a lot of time which doesn’t produce new application features (so no clear benefit, because security is like insurance, no ROI 😉 )
  • Problem with ideas (when developers provide small number or poor ideas to work on <- be ready with your own list as a backup)

IT Sec on the run – agile moving around the company 

In some companies I work with, the Security Department is strongly separated from others. Most security people do not know many developers. Sometimes they communicate even only with almost anonymous mail e.g. secdepartment@somebank.pl. It’s really hard to cooperate with programmers this way and a good security program needs good communication. Period.

IT SEC on the run is the idea where people from the Security Department “travel” around the company to work closely with developers. 

It takes let’s say 2-3 days in a month, the more the better, where a given security engineer sits in the open space with developers. They may do their own work, but the developers know that she or he is there and can be asked appsec questions and discuss various security related topics the developers have on their agenda at this very moment.

Pros

  • security people and developers get to know each other
  • security people get to know how developers work, what are the processes they follow
  • easier access to security council for developers

Cons

  • no visible cons, maybe except ITSec engineer discomfort when being overrun by developers 😉

Which approach to choose? 

Hackathon will help you make security fun and interesting. However,  I you have a Security team definitely go for IT Sec on the run – both sides (devs and security) will benefit from close cooperation.

Of course, the available solutions do not end on Hackathons and IT Sec on the run. As I mentioned at the beginning of this article there is also Threat modelling, Security Champions, Trainings and Internal Bug bounty. These also do not have to be the only solutions and there is always something in between.

To make it easier, we prepared a really fun playbook in which you will find the right questions to ask yourself. Each of the previously mentioned 6 approaches is available at one click.

Mateusz Olejarka 2021.03.11 ·3 MIN czytania

If you have any questions or you just want to talk about the possibilities of implementing security in your organization don’t hesitate to use our contact form 🙂

Mateusz Olejarka
Mateusz Olejarka Principal IT Security Consultant
Head of Web Security