Advice from the Front Lines: How We’re Creating a Security-first Culture for Software Development
Nearly 70% of every application is made up of reusable software components, according to White Hat Security. This is fantastic for speed and efficiency in software development, but it also means that vulnerabilities in a component can more easily affect other areas of an application. And application security is a very real challenge. The Micro Focus’ 2019 Application Security Risk Report found that nearly all web apps have bugs in their security features.
At Gorilla Logic, we take security seriously. We have a dedicated Security Practice, staffed with domain knowledge that spans the full software development lifecycle. We’re ISO-2700 compliant. And to create even deeper benches of certified security experts across multiple domains, from development, to QA, to UI/UX, to DevOps, we launched a Security Champions program. Our pilot has proven wildly successful in helping us to build a robust and dynamic security-first culture, and so we wanted to share what we’ve been learning along the way so that you might be inspired to do the same in your organization.
Offer a structured group learning
We developed our own 8-month curriculum, using published materials as a base, and adding our own lessons learned and best practices on top. We meet weekly for several hours, mostly after hours via Zoom calls. Although the time was after hours, our students enjoyed the camaraderie and gave us very positive feedback about the time spent.
Include a security certification
To make our program as appealing and useful as possible, we linked it to the Certified Secure Software Lifecycle Professional (CSSLP) certification offered by (ISC)². The CSSLP develops advanced technical skills and knowledge needed to implement security best practices into every phase of the software development lifecycle (SDLC), including authentication, authorization, and auditing. For software professionals, the CSSLP is a great way to advance a career. We reimbursed staff for the certification when they passed the examination, so there is a commitment from all sides and everyone wins.
Involve as many people as you can, from across domains
The best security practices happen when the whole village gets involved. For our program, we had developers, QA, UI/UX, and DevOps experts, all coming together in one weekly session. Whenever we’d study a specific issue or case study from the curriculum, we all got to hear from all the other domains about how they’d think about and approach the issue. The sharing of different perspectives proved to be one of the most valuable parts of our program.
Grow the program by transforming students into teachers
In our experience, the best way to know you’ve really mastered a topic is to teach it. That’s why a part of our program transforms our students into the next generation of teachers. Going forward, we’ll use the same curriculum and materials, and we’ll have a lot more people available to deliver the curriculum and to mentor the next groups of Security Champions. The field of security never stops changing, and this part of our program keeps everyone involved and always learning from each other.
Our Security Champions program has taught us a lot in just this first year. We’ve been reminded that everyone learns differently. We learned that there’s power in a community. We’ve gained insights from our colleagues in different domains. And we’ve learned that we can all help each other to grow an even more robust security-first culture. It’s worked so well for us that we hope we can inspire you to do the same for your organization next year!
Enjoy this article? Read our latest blogs!