Miscommunication breaks things in business. Whether it’s unintentional – based on assumptions or intentional – driven by political motivations, miscommunication is at the heart of most challenges in business today. In our line of work, there’s hardly any more obvious form of miscommunication than what happens with application security:

  • Marketing has its own messaging
  • Salespeople promise the moon
  • Customer service and help desk personnel gather feedback
  • Security staff have their own standards
  • IT operations are working on what’s the most time-sensitive
  • Developers are doing their magic to meet specific requirements and tight deadlines

Developing just a single application involves a complicated ecosystem that includes so many unique roles and people that it often ends up as a cascade effect full of gaffes, oversights, and missteps. This is how application security gaps form, exploits arise, and tangible business risks remain a part of the process.

Given the difficulties in finding – and keeping – experienced developers, this challenge needs to be a priority for your business. I work with a lot of software developers and find that they are not only some of the smartest people in the organization, they are also some of the easiest to work with. But they must be in the loop – a part of the ongoing security conversation – not just implementers of stuff.

Early on in my career as an independent information security consultant, I noticed that many developers were unfamiliar with the OWASP Top 10 framework for web application security. It literally took 15 years to start seeing developers who not only heard of the OWASP Top 10 but actually understood critical security concepts beyond passwords and SSL. I believe this increased level of developer involvement in security is largely because they are being:

  1. Brought in earlier in the system development lifecycle
  2. Asked for their input on how to build more resilient systems
  3. Provided with the necessary security tools to enhance their development efforts

Still, based on what I continue to see in my work, communication among system/application stakeholders is not where it should be in most organizations. Security philosophy, mission, goals – the expectations of all these elements need to be properly set, especially with developers. To have an application come to fruition only to find out that security control X was overlooked or security feature Y was pushed aside because not everyone was on the same page is an unnecessary side-effect of poor communication.

Greek Stoic philosopher Epictetus said it is a universal law – have no illusion – that every creature alive is attached to nothing so much as to its own self-interest. If application resilience is one of the main goals, it means that you must do what you can to keep politics in check. Focus on leadership and positive communication among everyone involved in the application lifecycle. Keeping the right people in the loop at all the right times is essential for application security improvements. Having a representative from your development team as part of your security committee can really help.

Communication is critical for application security. The good news is that communication is a skill that can be learned. It’s a reflection of the level and quality of leadership in the organization. But don’t wait for executives to do what’s right! Get started on it yourself…today. Address the things that you have control over, and the important things will fall into place.

When in doubt, get developers involved with security as early as possible. There are many ways to do that. Give them the seat at the table they deserve. The more that developers are involved with security, the more interested they’ll become. As they become more interested, it will open the door for better communication and better software. Rather than having an ancillary role in the process, developers will become an integral part of the team working for the greater goals of security and the business as a whole. That’s exactly what’s needed to make software better.

Kevin Beaver

Kevin Beaver, CISSP is an independent information security consultant, writer, and professional speaker with Atlanta, GA-based Principle Logic, LLC. With over 32 years in IT and 26 years in security, Kevin specializes in vulnerability and penetration testing, security program reviews, and virtual CISO consulting work to help businesses uncheck the boxes that keep creating a false sense of security.