Are you a software developer? If so, I don’t envy you. Of all the possible positions working in and around IT, you’ve arguably got the toughest one. I’ve witnessed it over the years while performing my own security assessments as well as hearing about it from friends and colleagues who are developers. You’ve literally got people coming at you from every angle:
- Information security staff are testing your apps every month calling your baby ugly
- Internal auditors are asking why certain security gaps have not been addressed
- Compliance managers are telling you that you’re violating company policy
- Sales and marketing reps are requesting more security features to “wow” their customers
- Tech support staff are relaying messages from customers about all the security features getting in their way
- Business partners and customers are inundating you with their 50-page security questionnaires asking if SSL is used, servers are being patched, and firewall rules are audited periodically
- Executives are asking you and everyone else “What’s this security thing you speak of?”
These people want answers – now. They’re often distracting. They’ll bug you. No, they’ll badger you until you tell them what they want to hear or until you come up with a “fix”. Sure, there are reasons behind all of this. Some good, some mindless. Either way, it’s got to be tremendously difficult to manage.
On top of all this there’s the OWASP Top 10 and the CWE/SANS TOP 25 Most Dangerous Software Errors as well as NIST and other standards bodies that are telling you the best ways to do your work. Furthermore, you have seemingly endless development platforms and Web browsers to support. From old installations of Netscape Navigator that won’t go away to Silverlight to HTML 5 and beyond, I really don’t know how you keep up. Again, some of these resources are a great enabler. But they can also be a real thorn in your side.
Overall, I'm guessing your experience is similar to that of doctors, architects and other highly-regulated professionals who'd like to just use their skills to focus on the work at hand without getting caught up in certain nonsense. I suppose it's just the nature of the beast in the business world today.
Don’t fret. There are people like myself out there that know what you’re up against. Likewise there are many who can relate and understand all the technical and business skills required to write new software and develop new systems with security in mind. Not to mention all the legacy applications which need to be brought up to snuff to comply with whatever security standards or privacy regulations.
Sure, I’m on the other side of the table doing security assessment work - often the person that points out such issues that end up on your desk. Just know that I feel your pain.