Development Double Agent
Of the many ideas floating around the application security industry lately, there is one often overlooked but very effective approach: spying. Too often security personnel will look at developers as improperly educated code jocks, akin to Hollywood’s portrayal of “hackers” in the 1990s. Similarly, developers see the security analyst as an idealistic zealot with no concept of how things are in the “real world.” So the goal is to bridge the gap between the security and development groups. That bridge is a trusted developer that has a technical understanding of application security issues.
Who should be the bridge? There is no perfect answer to this question, so I’ll give some analysis of your options.
- Current Developer – By promoting–or at least elevating–a trusted senior developer to the position of “Security-Development Bridge”, an organization can expect near seamless transition from vulnerability detection to resolution (assuming the recommendations below are implemented properly). As a developer, the individual will understand the unique demands and expectations that the business pushes on its developers. With the appropriate training, the individual can also help to translate vulnerability findings into development remediation plans. With insider information, this double agent could also help the Security group better understand how the development group implements their recommendations. The related personal growth and resume enhancement is similarly a great opportunity for the developer in question. This should be considered your best option.
- Current Security Analyst – This would not be considered a bad option if an organization is building a new application security program or just getting their feet wet. The window of opportunity for the Security group to successfully plant someone inside Development group is small, but possible. Any pre-existing resentment or prior disagreements may end the initiative before it starts, regardless of whether the individual analyst was directly involved. Of course prior development experience is highly recommended, as is detailed training on the organization’s SDLC and related policies and procedures. Being a current employee of the organization will allow the individual to immediately focus on learning how to best fulfill the role rather than laboring through the on-boarding process.
- Experienced Outsider – If option 1 and 2 are not possible or preferred, an organization may have to look outside its doors to fill the role. All of the recommendations and rules of experience and group interaction described above apply here as well. Depending on the amount of ongoing development, the role is likely to be a full-time position, although providing hands-on assistance to developers may be possible and help to build trust.
- Outsourcing – Despite being in a position to benefit from a long-term staffing opportunity, I generally do not recommend outsourcing the double agent position. It may be more difficult to build trust amongst the developer ranks for a true outsider. Alternatively, a consultant could be in a particularly effective position to build a tunnel if a wall separates the Security and Development groups. Organizations and individuals alike are often more willing to trust an experienced and knowledgeable third party than their enemies across the cube wall.
How should we build this bridge? Similar to nearly all other security initiatives, there should be support from management. I doubt the upper echelon of most organizations will want or need to involve themselves in such minor details, but at least the heads of the Security and Development groups need to fully support the plan and its details. Some other suggestions:
- The Security and Development groups must very clearly define the role and responsibilities of their new agent.
- As indicated by the title of this article, the double agent should be organizationally placed in the Development group. This can help to build trust amongst the developers and improve the application security program where it typically struggles most: remediation.
- Encourage or initiate teamwork. A friendly group lunch, happy hour, or other event could very easily improve the ROI of the double agent initiative. Yes–when in doubt, add food!