Be an awesome sidekick — AppSec Lessons from the School of Hard Knocks
Imagine this, you walk into the doctor’s office with a horrible headache seeking help, but your doctor decides to instead focus on your lack of exercise, and your diet.
How would you feel?
I’d never go back to this doctor.
Next, consider, with the number of road fatalities that happen every year, as a rational person you’d rather not be a victim. Driving a tank daily will undoubtedly improve your safety and security. Yet, for most of us, our regular commute isn’t in a tank.
Why?
If I boil it down to one word, practicality — it’s much harder to do.
If we reflect on these situations, we see that respect for the priorities in each circumstance is fundamental to the choices made, and actions will often take the easier path. As application security (AppSec) professionals, these are crucial lessons for success. Let’s unpack them.
1. It’s about them. Not me.
AppSec is a support role. It does not exist without an application to secure. Although risky and concerning, developers can still build applications without security. Understanding this, puts into focus that as AppSec professionals, we’re here to support the developers, and the business, in building a trustworthy application, that behaves as intended.
That means, we must first seek to understand their goals and priorities. Focus on the help they want, and then, opportunistically find ways to deliver on what they need. Our role is often to advise, influence, and support. Focusing on the wrong priorities, you’d likely be excluded from future conversations — like what happened with the doctor.
2. Priorities ( and constraints )
As a supporter, it is important that we understand the priorities of the application team, and the business, to help them accomplish their goals. That’s why you’re hired. This often means untangling competing priorities and constraints, and helping them make informed decisions. Understanding these priorities helps us be sensible in the support we provide as AppSec professionals. It is useful to understand how teams prioritize work, and how constraints are considered. Understanding methods like RICE, MoSCoW, and backlog grooming activities, we can consider AppSec within the team’s workflow and priorities.
Like in the example, although theoretically, avoiding the risk of road fatality is pretty important to any rational person, the affordability, availability, and the convenience of our current everyday transport, took priority over the safety provided by a tank. However, a different outcome may be likely, if we’re in a warzone.
It’s almost always a “good enough” decision, as there’s always more to do. Being safer from car accidents isn’t great if you die from starvation; likewise with AppSec. We need to continually improve AppSec smartly; through evolution, not revolutions.
3. Easier, is easier
How do we support our application teams? By making security the easier choice. Despite the risks, we still jaywalk. We have evolved to have a bias for easier.
Leverage that behaviour, and make the secure workflow way easier to adopt than the alternative. Use a modern development framework, like ReactJS or Ruby on Rails, over coding boilerplate from scratch, as it comes with batteries and security built-in. It’s easier, faster, and reduces bugs, including security ones.
Conversely, impose meaningful cost on unwanted behaviors; like making the person that introduced the bug or security weakness the person to fix it. This creates an accountability feedback loop that helps encourage teams to do the right thing, easier.
These lessons helped me empathize, and collaborate more effectively with my development teams. I hope these will help you build amazing things, safely, with security built-in.
🖖 hoodiePony
