'보안'은 더러운 단어가 아닙니다: 긍정적인 접근 방식이 보안 프로그램을 혁신하는 방법
Originally published on the DevSecCon Blog.
Having been on both sides of the fence, I know all too well the tension that can arise between the development team and AppSec specialists when it comes to upholding security best practice.
It's tough; at the end of the day, a developer's chief priority is delivering software features. They must be beautiful, functional and help showcase the power of the application. With agile development practices typically in-play these days, these features must be completed to strict deadlines... and security is rarely high on the list of concerns with so much else at stake.
Security is seen as the domain of the AppSec team, who have the unenviable task of scanning code (or worse: reviewing it manually, line-by-line) and reporting to the development team that their code is insecure or indeed, entirely unusable. They're the sticks in the mud that pick apart their good work, halt innovation and generally create a headache for developers. At the end of the day, many security issues are quite a simple fix " perhaps just one line of code could reinforce a vulnerable back door in minutes.
But, here's the problem. With "security'so synonymous with a negative experience, developers simply aren't engaged with it as closely as they should be. Those one-line fixes aren't happening: after all, the AppSec guys continually come across the same issues. It must be quite maddening for them to still be pointing out SQL injection flaws, more than twenty years after we first discovered them (and their subsequent fix).
What we've done to date isn't working anywhere near as effectively as we'd hoped. We need to focus on repairing the bridge between developers and AppSec specialists, striving for a positive security culture in which developers are given the tools and training to make a real impact in the space.
Who knows? They might even fall in love with it as I did!
Positive security is the fastest and easiest way to improve application security
ity " and no, it's not some woo-woo about intangible outcomes. It is an absolutely vital ingredient in the secure coding recipe of success.
Developers hold the key to improving security from the very beginning of production, by writing secure code in the first place. By creating a positive security culture and getting developers excited about application security, common vulnerabilities can be wiped out before they ever make it to a scan or manual code review in AppSec land.
It's thirty times more expensive to fix vulnerabilities in code that is already committed, so finding training that plays to developer strengths, holds interest and actually works is a huge step in future cost reduction for identifying and fixing those recurring vulnerabilities.
Positive, developer focused initiatives foster the right security culture.
When everyone is on the same page with security best practice, a positive security culture is a happy, vital by-product.
Positive, scalable developer focused initiatives foster the right security culture. Engaging the problem-solving, creative minds of developers is essential to winning them over, as well as ensuring any new recruits can quickly come up-to-speed with the security expectations of the team. Get in touch for an overview of how the developer security relationship has evolved and ideas on rolling out a successful security awareness program in your own organizations.
저는 양쪽 입장을 견지해 왔기 때문에 보안 모범 사례를 유지하는 데 있어 개발팀과 AppSec 전문가 간에 발생할 수 있는 긴장감을 너무나 잘 알고 있습니다.하지만 더 나은 접근 방식이 있습니다.
Jaap Karan Singh is a Secure Coding Evangelist, Chief Singh and co-founder of Secure Code Warrior.
Secure Code Warrior는 전체 소프트웨어 개발 라이프사이클에서 코드를 보호하고 사이버 보안을 최우선으로 생각하는 문화를 조성할 수 있도록 조직을 위해 여기 있습니다.AppSec 관리자, 개발자, CISO 또는 보안 관련 누구든 관계없이 조직이 안전하지 않은 코드와 관련된 위험을 줄일 수 있도록 도와드릴 수 있습니다.
데모 예약
Jaap Karan Singh is a Secure Coding Evangelist, Chief Singh and co-founder of Secure Code Warrior.
Originally published on the DevSecCon Blog.
Having been on both sides of the fence, I know all too well the tension that can arise between the development team and AppSec specialists when it comes to upholding security best practice.
It's tough; at the end of the day, a developer's chief priority is delivering software features. They must be beautiful, functional and help showcase the power of the application. With agile development practices typically in-play these days, these features must be completed to strict deadlines... and security is rarely high on the list of concerns with so much else at stake.
Security is seen as the domain of the AppSec team, who have the unenviable task of scanning code (or worse: reviewing it manually, line-by-line) and reporting to the development team that their code is insecure or indeed, entirely unusable. They're the sticks in the mud that pick apart their good work, halt innovation and generally create a headache for developers. At the end of the day, many security issues are quite a simple fix " perhaps just one line of code could reinforce a vulnerable back door in minutes.
But, here's the problem. With "security'so synonymous with a negative experience, developers simply aren't engaged with it as closely as they should be. Those one-line fixes aren't happening: after all, the AppSec guys continually come across the same issues. It must be quite maddening for them to still be pointing out SQL injection flaws, more than twenty years after we first discovered them (and their subsequent fix).
What we've done to date isn't working anywhere near as effectively as we'd hoped. We need to focus on repairing the bridge between developers and AppSec specialists, striving for a positive security culture in which developers are given the tools and training to make a real impact in the space.
Who knows? They might even fall in love with it as I did!
Positive security is the fastest and easiest way to improve application security
ity " and no, it's not some woo-woo about intangible outcomes. It is an absolutely vital ingredient in the secure coding recipe of success.
Developers hold the key to improving security from the very beginning of production, by writing secure code in the first place. By creating a positive security culture and getting developers excited about application security, common vulnerabilities can be wiped out before they ever make it to a scan or manual code review in AppSec land.
It's thirty times more expensive to fix vulnerabilities in code that is already committed, so finding training that plays to developer strengths, holds interest and actually works is a huge step in future cost reduction for identifying and fixing those recurring vulnerabilities.
Positive, developer focused initiatives foster the right security culture.
When everyone is on the same page with security best practice, a positive security culture is a happy, vital by-product.
Positive, scalable developer focused initiatives foster the right security culture. Engaging the problem-solving, creative minds of developers is essential to winning them over, as well as ensuring any new recruits can quickly come up-to-speed with the security expectations of the team. Get in touch for an overview of how the developer security relationship has evolved and ideas on rolling out a successful security awareness program in your own organizations.
Originally published on the DevSecCon Blog.
Having been on both sides of the fence, I know all too well the tension that can arise between the development team and AppSec specialists when it comes to upholding security best practice.
It's tough; at the end of the day, a developer's chief priority is delivering software features. They must be beautiful, functional and help showcase the power of the application. With agile development practices typically in-play these days, these features must be completed to strict deadlines... and security is rarely high on the list of concerns with so much else at stake.
Security is seen as the domain of the AppSec team, who have the unenviable task of scanning code (or worse: reviewing it manually, line-by-line) and reporting to the development team that their code is insecure or indeed, entirely unusable. They're the sticks in the mud that pick apart their good work, halt innovation and generally create a headache for developers. At the end of the day, many security issues are quite a simple fix " perhaps just one line of code could reinforce a vulnerable back door in minutes.
But, here's the problem. With "security'so synonymous with a negative experience, developers simply aren't engaged with it as closely as they should be. Those one-line fixes aren't happening: after all, the AppSec guys continually come across the same issues. It must be quite maddening for them to still be pointing out SQL injection flaws, more than twenty years after we first discovered them (and their subsequent fix).
What we've done to date isn't working anywhere near as effectively as we'd hoped. We need to focus on repairing the bridge between developers and AppSec specialists, striving for a positive security culture in which developers are given the tools and training to make a real impact in the space.
Who knows? They might even fall in love with it as I did!
Positive security is the fastest and easiest way to improve application security
ity " and no, it's not some woo-woo about intangible outcomes. It is an absolutely vital ingredient in the secure coding recipe of success.
Developers hold the key to improving security from the very beginning of production, by writing secure code in the first place. By creating a positive security culture and getting developers excited about application security, common vulnerabilities can be wiped out before they ever make it to a scan or manual code review in AppSec land.
It's thirty times more expensive to fix vulnerabilities in code that is already committed, so finding training that plays to developer strengths, holds interest and actually works is a huge step in future cost reduction for identifying and fixing those recurring vulnerabilities.
Positive, developer focused initiatives foster the right security culture.
When everyone is on the same page with security best practice, a positive security culture is a happy, vital by-product.
Positive, scalable developer focused initiatives foster the right security culture. Engaging the problem-solving, creative minds of developers is essential to winning them over, as well as ensuring any new recruits can quickly come up-to-speed with the security expectations of the team. Get in touch for an overview of how the developer security relationship has evolved and ideas on rolling out a successful security awareness program in your own organizations.
아래 링크를 클릭하고 이 리소스의 PDF를 다운로드하십시오.
Secure Code Warrior는 전체 소프트웨어 개발 라이프사이클에서 코드를 보호하고 사이버 보안을 최우선으로 생각하는 문화를 조성할 수 있도록 조직을 위해 여기 있습니다.AppSec 관리자, 개발자, CISO 또는 보안 관련 누구든 관계없이 조직이 안전하지 않은 코드와 관련된 위험을 줄일 수 있도록 도와드릴 수 있습니다.
보고서 보기데모 예약
Jaap Karan Singh is a Secure Coding Evangelist, Chief Singh and co-founder of Secure Code Warrior.
Originally published on the DevSecCon Blog.
Having been on both sides of the fence, I know all too well the tension that can arise between the development team and AppSec specialists when it comes to upholding security best practice.
It's tough; at the end of the day, a developer's chief priority is delivering software features. They must be beautiful, functional and help showcase the power of the application. With agile development practices typically in-play these days, these features must be completed to strict deadlines... and security is rarely high on the list of concerns with so much else at stake.
Security is seen as the domain of the AppSec team, who have the unenviable task of scanning code (or worse: reviewing it manually, line-by-line) and reporting to the development team that their code is insecure or indeed, entirely unusable. They're the sticks in the mud that pick apart their good work, halt innovation and generally create a headache for developers. At the end of the day, many security issues are quite a simple fix " perhaps just one line of code could reinforce a vulnerable back door in minutes.
But, here's the problem. With "security'so synonymous with a negative experience, developers simply aren't engaged with it as closely as they should be. Those one-line fixes aren't happening: after all, the AppSec guys continually come across the same issues. It must be quite maddening for them to still be pointing out SQL injection flaws, more than twenty years after we first discovered them (and their subsequent fix).
What we've done to date isn't working anywhere near as effectively as we'd hoped. We need to focus on repairing the bridge between developers and AppSec specialists, striving for a positive security culture in which developers are given the tools and training to make a real impact in the space.
Who knows? They might even fall in love with it as I did!
Positive security is the fastest and easiest way to improve application security
ity " and no, it's not some woo-woo about intangible outcomes. It is an absolutely vital ingredient in the secure coding recipe of success.
Developers hold the key to improving security from the very beginning of production, by writing secure code in the first place. By creating a positive security culture and getting developers excited about application security, common vulnerabilities can be wiped out before they ever make it to a scan or manual code review in AppSec land.
It's thirty times more expensive to fix vulnerabilities in code that is already committed, so finding training that plays to developer strengths, holds interest and actually works is a huge step in future cost reduction for identifying and fixing those recurring vulnerabilities.
Positive, developer focused initiatives foster the right security culture.
When everyone is on the same page with security best practice, a positive security culture is a happy, vital by-product.
Positive, scalable developer focused initiatives foster the right security culture. Engaging the problem-solving, creative minds of developers is essential to winning them over, as well as ensuring any new recruits can quickly come up-to-speed with the security expectations of the team. Get in touch for an overview of how the developer security relationship has evolved and ideas on rolling out a successful security awareness program in your own organizations.
목차
Jaap Karan Singh is a Secure Coding Evangelist, Chief Singh and co-founder of Secure Code Warrior.
Secure Code Warrior는 전체 소프트웨어 개발 라이프사이클에서 코드를 보호하고 사이버 보안을 최우선으로 생각하는 문화를 조성할 수 있도록 조직을 위해 여기 있습니다.AppSec 관리자, 개발자, CISO 또는 보안 관련 누구든 관계없이 조직이 안전하지 않은 코드와 관련된 위험을 줄일 수 있도록 도와드릴 수 있습니다.
데모 예약다운로드시작하는 데 도움이 되는 리소스
%20(1).avif)
.avif)
Threat Modeling with AI: Turning Every Developer into a Threat Modeler
Walk away better equipped to help developers combine threat modeling ideas and techniques with the AI tools they're already using to strengthen security, improve collaboration, and build more resilient software from the start.
