Trust is one of the most important aspects of any business. When team members trust one another, they feel comfortable to open up, take appropriate risks and expose vulnerabilities; without it, teams face a lack of innovation, collaboration, creative thinking and productivity. Software development is no exception.
Today’s software and web development teams are doing great work. It goes without saying that high-performance teams build the highest quality products when they can trust that their teammates are carrying their own weight, holding each other accountable and willing to focus on solving problems to help unblock teammates. However, historically, security teams are perceived by developers as a blocker to getting software to market. Security teams, on the other hand, argue that developers don’t listen. In reality, there is truth on both sides. To achieve a world where software is more secure, we must overcome these cultural differences.
Like many professionals, developers want to establish accountability and transparency and want people to listen, empathize and work efficiently with one another, none of which is possible without trust. The question is how we build the type of trust needed to ensure secure development.
Team Building vs. Principles to Live By
When our tools aren’t well integrated, it is a reflection that our processes and teams don’t speak the same language. That leads to process inefficiencies and communication breakdowns. I propose we promote certain principles to align developers and their security colleagues.
To be clear, traditional team outings and lunches continue to have their role in workplace culture. However, at the end of the day, that is not going to meaningfully bring together developers and security teams in the long term. Team building really comes down to time spent ‘in the trenches, elbow to elbow,’ observing the day-to-day tasks and behaviors of those around you. Knowing that a team member has your back covered builds trust and frees you to voice opinions.
To embark on the journey of building trust, here are five principles that developers and security teams can embrace for themselves and their organization:
- I will speak the truth
- I will help others on my team succeed
- I will practice accountability
- I will work with the highest levels of expectation
- I will listen carefully to what others on my team are expressing
Imagine what your organization’s culture will look like when these principles are translated into secure coding.
A few examples of putting those principles into action include:
- Developers sitting down with a security architect to listen to what is being asked. If I am a developer and don’t clearly understand a security requirement or know how to test whether that security requirement has been met, I will speak up immediately and not let it sit in a backlog.
- As a developer I will focus on the highest level of quality and refuse to take security shortcuts, like hard coding secrets into my code.
- Instead of the security team saying, “pick up a book on security” or “read about security and figure out the details,” they could engage in a constructive way that helps both teams succeed.
- Developers could set a goal to learn something new about security each day.
If we work at trust building in our day-to-day activities, it puts everybody on the same page, and we will be one step closer to creating secure products.
Addressing Pressure to Perform in the Face of Security Requirements
There are plenty of frameworks out there that delve into proposed key values and principles for software developers. For example, the agile manifesto has been around for several years, and we’ve recently seen the threat modeling manifesto. These are great guideposts, but the question being asked by developers is, “what do I need to do with this information?” I hope that with actionable guidance and deeper collaboration between security teams and developers, developers will grow and embrace security as a normal part of their job. Similarly, security teams will appreciate the challenges of developing and maintaining a complex software stack.
Software developers hold themselves accountable for the functionality and well-being of a product. But at the end of the day, developers don’t necessarily live in security, just as security professionals don’t live in code. As developers, we want to do right by our teams, customers and products. We can clearly picture our destination, but it’s the journey we struggle to see. And that’s ok – every journey starts with a few steps, and the journey of trust is no exception.