Dealing with the “Security is Special” problem

In the last entry on cultural challenges in application security series, we introduced the “Security is Special” problem. We described the problem where application security issues hold a trump card over other development issues, and how that can erode the relationship between security & development.

In our experience, insisting on high priorities for all security issues is one of the biggest detriments to building productive relationships between security & development. The HTTPOnly cookie example comes up often in the real world. Certainly, there is some inherent risk with not implementing this kind of control, but the cost of fixing it may not outweigh the opportunity cost of closing other defects and/or building features.

Good security teams make the development staff aware of security issue and articulate real risks without hyperbole. They understand and empathize with development teams who have seemingly endless lists of defects to fix and features to implement. Framing security vulnerabilities as defects and prescriptive controls as features allows development teams to make their own trade-off decisions. This, in turn, fosters more trust between development and security which in-turn helps future ease adoption of future application security initiatives.

Previous Article
A Message That Resonates
A Message That Resonates

A couple of weeks ago I posted an article on managing security requirements on agile development at InfoQ. ...

Next Article
LinkedIn Isn’t an Isolated Case
LinkedIn Isn’t an Isolated Case

By now you’ve probably heard about the disclosure of unsalted, hashed passwords from LinkedIn and possibly ...


Schedule a live demo

First Name
Last Name
Company Name
Thank you!
Error - something went wrong!