Security is a hot topic the last years and certainly the last few months during the COVID-19 period. The more people work from home which gives hackers almost a free-pass to spot opportunities. And as far as I know there are still a lot of people with a low security WIFI at home, even software engineers.
I recently joined some discussions about software security and how to implement it and/our how integrate it into a work process and sometimes even on an onboarding process. I’m a bit sad that people still believe that a company and all of the teams can adopt the security measures at once. I certainly agree we need security in every single step of software development, however is it realistic to assume that a company or even a team can do all of these steps at once?
My point of view is based on my experience for working at some governments and large enterprise organisations among others. The main thing here is to make the top (management) aware of the high priority security needs to have. The top management is about the budget(s) and decide which priority something has, as they pay your salary and for the software you’re using. But however this isn’t a one way street, at least I think it shouldn’t be, you’re hired for a reason and with your expertise you can advise them or make them aware of the risks you know of.
So my first step would be to address this to the Product Owner or Team Manager / IT-Lead. Not expecting an enthusiastic response and a bag of money but at least they know you’ve got the topic in the back of your mind.
The nicest example I can give from my experience is that I managed to find a lot of vulnerabilities in one scan on a web project ( Java Spring Boot) and one of the vulnerabilities was marked as (highly) critical because of a RCE ( Remote Code Execution) throughout the logging framework. So basically the logging introduces the ability to execute code on the external machine, that should make you think about the risks being exposed to potential hackers.
This doesn’t necessarily means that if your first attempt of security awareness fails to impress the top management or product owner we’ve failed forever. You can still perform security measurements in your work process as a team. At the start of a project or during a refinement you can think of security measures/risks which you can specify an can even test upon during the implementation of the task/project. However this still remains a team effort, you can’t ride this rodeo on your own.
But this is from bottom to top? Yes, that’s correct, if you manage to make the security risks understandable for the management and with the support of your team you can work your way up. Just make the costs and possible damages understandable without showing them code and it will make a lot more sense to them.
So my second step would be to convince my team for taking (baby) steps which result in integrating security in the work process. This can be defining a project or task, but also to use a tool locally or in a pipeline which scans for vulnerabilities. Whatever suits your needs and situation.
Count your blessings as this will not take effect in a day, week or even a year. Company culture is a slow moving subject which takes a lot of time for new ways to integrate into a work process.
That’s why I think from my personal point of view that even when I can convince my team to make minor adjustments like for example adding a maven/gradle plugin which scans for vulnerabilities or run the application through a proxy which consists of a vulnerability scanner like BurpSuite or OWASP ZAP. This will generate a report based on the latest NVD database consisting of known Common Vulnerabilities and Exposures (CVE). This report can be your tool ( leverage 😉 ) to support your argument of more time to spent on security issues.
So my final note on this topic is that we could start on both ends and meet each other in the middle. At least someone needs to keep moving to make progress. That way we don’t expect a big bang and hopefully the bottom and top meet each other at some point.