Share this article on:
Breaking news and updates daily. Subscribe to our Newsletter
Faced with a constantly evolving threat landscape and a shortage of skilled staff, many organisations are struggling to improve the overall maturity of their in-house security teams, Pieter Danhieux of Secure Code Warrior writes.
Staff may lack the experience needed to deploy and manage required security tools. They may also struggle to effectively deal with alerts as they arise.
Regardless of the starting point, improving security maturity can be a struggle for organisations at every level as the industry collectively grapples with challenges amid a complex threat landscape.
The three stages of security maturity
While an organisation’s exact maturity remains hard to define, we’ve found that development teams often fit into one of three stages based on their behaviour.
Defining: These organisations have identified the need to define and build the security maturity of their development teams. They realise that software vulnerabilities exist in their code and must be addressed, but they lack the processes and skills to remediate them. These organisations may have started to plan how to build their developer maturity but remain reliant on a reactive approach. AppSec managers and developer teams may not have a close relationship.
Adopting: Organisations at this stage have begun to adopt and incorporate secure coding practices into all stages of the software development life cycle, but it remains a work in progress. Development teams may have good fundamental practices to improve security maturity but battle inconsistencies with efforts still siloed. Organisations can stay in this stage while they build better relationships between developers and security teams while ensuring developers have time to learn and practice new coding skills.
Scaling: At this stage, organisations have implemented a cohesive approach to secure coding with a foundation to improve and evolve practices as needed. Developers at this level act as a true frontline of defence and have mastered the fundamentals of secure coding practices. As a result, management advocates for security and functionality to have equal importance, and they are baked into developer workflows.
Improving developer maturity
Development maturity does not come without an organisation-wide push to make improvements. Maturity goes beyond simply hiring experienced developers but creating a training-focused ecosystem that encourages and rewards developers for expanding their skill sets.
To build this environment, organisations first need to establish a consistent measurement of security maturity. This includes defining a plan to upskill developers and providing them with an opportunity to grow. Organisations often neglect developer training, leaving it to a once-a-year activity to check a compliance box.
Instead, offer developers the opportunity to train on tools and techniques that interest them and help the organisation’s overall maturity. Focus on individual training that allows developers to build on existing skills and learn with hands-on practices that build off one another.
That training should focus on all aspects of development but also emphasise security. Skilled and willing developers who are security-aware and passionate should be appointed security champions. Their responsibility as a champion is to help their fellow developers improve their skills, in addition to acting as a liaison between the development and AppSec teams. These leaders can take a hands-on, technical role in helping out their fellow developers; however, they should not be positioned as the security lead within the developer team. The goal of security champions is to coach fellow developers as they build security skills to the same standard.
There should also be an understanding that progress never ends. Create a schedule for continuous check-ins so there is consistent improvement.
The road forward
The security threats faced by organisations are going to continue to evolve in the weeks and months ahead. Steps must be taken to ensure that protective measures are in place and a mature approach is taken to their management at all times.
Developers need to understand their role in this process and the steps they can take to ensure their code is as robust and resilient as possible. Security maturity can’t happen overnight but is something that can evolve over the longer term.
Pieter Danhieux, CEO and co-founder, Secure Code Warrior.
Comments powered by CComment