Who is responsible for software security? This question has been asked by many in the industry. It’s asked because when major software vulnerabilities lead to data breaches or major problems, some may want to know who to blame. Others want to know how to prevent such mistakes in the future. Where should resources be directed to help prevent software vulnerabilities?
Focus has increased on teaching software engineers how to write secure code. This focus is not wrong. In fact, Veracode loves to help engineers refine their secure coding skills. However, it’s not realistic to think that secure software can be created by only educating software engineers. More must be considered.
Software engineers aren’t the only people who have an impact on the final piece of software delivered to customers and clients. Software development is a complex process with many moving pieces. Let’s talk about three positions in the software development world that need security awareness just as much as developers do.
Security teams: more than compliance
Okay, I know. Saying security teams need to know security is a total softball. But hear me out. Security teams need to understand secure coding as well as security vulnerabilities.
Application security teams tend to differ from organization to organization. Some larger organizations feature security teams that are worried about compliance, regulations, and keeping all of the security vulnerabilities found under control. A security team role in such an organization may include some threat modeling or finding security vulnerabilities. But it may also spend tons of time creating programs and paperwork and processes that development teams need to follow. All of this extra work may not leave much time to learn the technical details necessary to really help developers write secure code.
Some organizations have security teams that are closer to the development side of the shop. They may have security engineer positions responsible for fixing insecure code and helping to train software engineers to do the same. This level of knowledge is preferable for security teams. If your security team scans software using automated tools, then ships the vulnerabilities over to the engineers, it isn’t really doing its job. Security is more than compliance. Security is more than scanning tools.
You’re going to find developers who don’t really understand secure coding, especially those at a junior level. This knowledge will come with time. Until such an engineer is more seasoned, it may fall to the security team to show how to fix vulnerabilities in the code. In order to do this, security teams need to understand how to code and how to do it securely.
Project managers: prioritizing security
Building software is a complex process that needs to be managed effectively to be kept on track. A software project manager has that job. And a position that is so integral to delivering software successfully must know the importance of security.
Project managers have several key responsibilities. Let’s take a look at how these responsibilities impact software security.
Time management and planning
Project managers must make realistic estimates and create a plan to meet those estimates. A realistic plan includes security. Project managers must understand that security issues will occur and some will be critical enough to require immediate attention. The plan cannot assume the best-case scenario, leading to a deadline that is too tight. Extra buffer time should be included for security bug fixes that will be found during the development process.
Another aspect of planning is the budget. Many software vulnerabilities end up being delivered to production because fixing it will take too much time or too much money. Security savvy project managers understand this and make sure security fixes are accounted for in the budget.
Analyzing and managing project risk
Risk is an area where project management and security intertwine the most. Software vulnerabilities and threats found during threat modeling are risks to your project. They need to be managed just like any other risk, such as lack of resources or infrastructure. Call out major security risks to upper management. If your management is unaware of the possible impacts these vulnerabilities could have on the success of the project, they’ll be making decisions based on incomplete data.
Within the project itself, project managers need to work with developers to make sure new functionality is balanced with security fixes. The risk of spending too much must be balanced with the risk of the vulnerability being exploited when the system goes live.
Security savvy organizations make their project managers responsible for the security of the software they’re building. It’s a big part of software quality as any other aspect. Speaking of which…
Software testers: testing for security
There are several key responsibilities of the QA, or quality assurance, team. This team tests the software being built to make sure it does what it is meant to do. This role requires knowledge of what the business client or customer is expecting from the software. It also requires an understanding of the various requirements of the application as defined by a business analyst or product owner. Security knowledge is also key to effective testing.
Most think of QA as the team that finds functional bugs in the software. The software engineers then fix those bugs and the QA team verifies. Often a security team then runs scans or penetration tests the software in another testing cycle to find security issues. But two cycles may not be necessary.
This is not to say that software testers should become security experts. However, a security-savvy testing team helps to find ways to “break” software in interesting ways and these “breaks” can lead to vulnerabilities. Experienced testers with the right mindset and tools can help uncover many bugs, both functional and security related. At the very least, security teams won’t have to dedicate huge amounts of time to each application since the testers are taking a preliminary look at it. The security team will be there for support and guidance as needed, but the work “in the trenches” can be done by the QA team.
It takes a village to raise an application
Software requires a large team of people from different disciplines to create it well. Here’s what you can do for each member of this diverse team to help all contribute to secure software.
Security Team
- Security should be about code and not just compliance and processes
- Your security team should know how to write code and write it securely
- The security team should also teach developers how to write secure code
Project Managers
- Project managers should be held accountable for making sure security is properly reflected in the project plan
- Security vulnerabilities will happen and need to be managed like any other risk
- Major vulnerabilities should be reported to management so a complete risk picture is communicated
Software Testers
- Testing software is not just about functional testing, but also security testing
- Security savvy testing groups can take some load off of the security team and give the security team an extra set of eyes
- Good testers can find ways to break the system, and these breaks often can be exploited by attackers
When everyone involved in building software shares some responsibility for security, your software will be more secure. It’s not only developers who need an eye for security. They write the code, but there are other players who have an impact on the security of the final product. Security teams, project managers, and QA teams can all contribute to building a product that is rock solid and free from vulnerabilities.