I recently attended and gave a brief talk at the Sofware Assurance Working Group. I spoke about the need for security folks to speak with developers – not at them. This is a frequent topic in the security space but I have to question, have we gotten any better? My answer – “Not so much”.
As security folks, we are great at finding problems. But I have come to realize that we don’t have a problem finding problems… we have a problem fixing them. And the answer is not simply better or more secure coding practices, or more training.
The problem with security professionals is that we tend not to get our hands dirty. We don’t spend enough time understanding the development process, people, and technology. It’s no wonder that we can’t implement the right fixes in the context of the existing development practices. For example, recommending that developers use security packages like Apache Shiro or ESAPI fall on deaf ears if the development stack is using Spring Security.
This reminds me of a conversation I had with our COO, Deborah Rosen, about the people you need for a successful startup. She asked me, “What kind of person do you want around you when you are really sick? Do you want the person that calls and says if you need any help just call? Or do you want the person that just shows up at your house with a bowl of hot soup?” I think most people want the person who steps up and dives in with a solution, not someone waiting by the phone for a call.
I see this as pretty common behavior for security professionals. We are quick to find problems and when asked, we always offer advice; but we rarely just jump in. There are plenty of open source and corporate projects that would love people to bring the soup, not just point at the problems. I know I am going to focus more of my efforts on this approach.