As a security practitioner, do you feel like your developers don’t want to talk to you? How can we convince developers that security is important? This talk explains how to frame security issues as opportunities for product differentiation. This approach starts a conversation with the developers that will yield a better relationship with the security team. I’ll show how to stop treating developers as the problem and include them as active partners in the solution.
Product Teams balance the competing interests for new features based on business value, but oftentimes there are no voices for security. Security teams need to make the point that the business value of a system cannot be realized if the system is un-trustworthy. Development teams must add security to their full lifecycle view of product development.
This work is based on rolling out security processes in my consulting organization of nearly 4,000 resources.
In many organizations security features are added as requirements in a category called “non-functional requirements”. This phrase may mean they are explicit features of the product. But this category also devalues these features. Product owners and development teams must value security aspects of the product as first class features. If a client, or user, cannot trust the system to prevent their data from being exposed, then they will likely find a different product to use. Conversely, if a product demonstrates strong security features, then clients and users will choose that system over others that are less secure.