In the last entry on cultural challenges in application security series, we introduced the incompetent developer problem. In this entry, we’ll describe some techniques to help resolve the incompetent developer problem.
We described a scenario where Steve, the application security lead, sat down with Julio, a developer, to explain a secure SDLC program. Steve was unsure what to do after Julio suggested that the only real security challenge they have is hiring incompetent developers.
What We’ve Seen Work
To begin, Steve might want to acknowledge some truth to Julio’s assertion. While development skill may not be the only predictor of code security, Steve’s experience should probably tell him that good engineers are more likely to take security seriously.
The other thing that Steve should recognize is that Julio may be surfacing a hidden objection: as Sherif Koussa points out, smart engineers don’t like to be told what to do. They want to exercise their autonomy to meet user needs within architectural constraints.
In our scenario, Steve might well benefit from acknowledging that it’s not his place to tell Julio how to code. He is simply trying to do his best to prevent customer or internal data from being breached.
Steve should come better prepared to this kind of discussion with data. Smart programmers occasionally make security mistakes. Professor Bill Chu of UNCC and his team have pointed to the effects of cognitive burden on developers.
Steve may want to also point out that smart engineers at just about every software company including Github, Facebook, Google, Apple, Microsoft, and most likely his own company have produced vulnerable code. Programming competence isn’t sufficient to prevent security defects: holistic changes to software development yield measureable progress.
Finally, Steve may want to point to results from other fields with abundant research about very competent practitioners making, what appear to be, basic mistakes in their day to day practice. Atul Gawande points to research about surgeons making seemingly trivial mistakes, such as operating on the wrong side of the body, in a high stress work environment.
Getting buy-in from skeptical developers is one of the toughest challenges for many application security professionals. If you run into the incompetent developer problem, make sure your frame the discussion properly and come equipped with the right evidence.