Friday 23 September 2016

AppSec should buy tools for developers

(from Software Quality book)

This is a great opportunity to generate goodwill and positive working relationships with developers. If the AppSec team is able to actually find the budget for tools, it will help developers be more productive.

Two great examples are WallabyJS for javascript and NCrunch for .Net

Inside a large organization, you will find teams where for some reason or another, management hasn’t seen as a priority to invest in tools for developers.

It’s a good opportunity for security teams to buy those tools and give them to developers saying “Hey, we need you to write more/better test APIs, so that we can write our abuse cases using them”.

What we are doing is improving the ability for that team to write better tests and we’re also creating good relationships for the developers.

The concept of making developers more productive, is something that has to really permeate everything that the AppSec does. One of the key objectives of the AppSec team is to make the ‘company’ more productive. So everything we can do to make them better is fair game.

The reality is that sometimes we do need to ask them to do some specific security tasks or changes. For example, SSL security is the kind of security solution that the developers don’t really need it. That is a good example of how, if we have enough goodwill and balance in the bank, we’ll be able to work with previously earned karma points and actually push those changes.

If we are always seen as the source of work and it seems like we’re not adding value, but instead, just making the Devs lives more complicated, they aren’t going to do it. In fact, a really good comment I heard from some developers is that they are “neutral” – they view all requests from all parts of the business as important, but they will focus on the ones that: a) they get rewarded for the most or b) they see the most value in doing it.

This is the very reason why we need to put AppSec in the business of adding value to developers and the business