This is the last in my series of blog posts on my favorite quotes from the Security at the Speed of Development webinar with Wendy Nather, Research Director, Security for 451 Research and Ryan Berg, Sonatype CSO.
When asked how organizations can hire good security talent in today's competitive marketplace, Wendy noted:
- "Some of the best app security people that I have seen are really good developers that picked up the security mindset and learned more about it. If you have really smart architecture people... developers that already know your applications, and they have the right mindset to learn the hacking side of things, they can make really good app sec people."
Ryan went on to explain:
- "Developers are the front line - but you really need to have both. Since developers understand the development process they make good security people... Having someone that is part of the agile development process, who understands the business requirements. You need the security angle but you need to think about usability and how things might be exploited. Developers can bring a balanced view because they understand how the development organization works."
And Ryan commented on how management has to be committed to security:
- "I haven't found a developer that says 'I want to write really insecure code today'... half the time they don't have the tools, the training, or the backing of the organization that says security is an important thing and this should be something that is part of your day-to-day responsibility."