Developer Security Toolkit
Empowering Teams to Deliver More Secure Software
Software developers, whether programmers, testers, designers or product managers, typically make hundreds of decisions every day. Very few of those decisions have security implications. It is vital that developers spot security-relevant decisions as they are encountered, and have a clear sense of when security is needed for different kinds of development tasks.
Based on our research, the Motivating Jenny project has designed a toolkit to help sensitise development teams toward security issues in the workplace. Each package has simple and complete instructions for you to use. Click each card below to download materials, and follow us to find out more.
How does the toolkit work?
Developers like to solve problems. When they identify a security problem in their environment, most developers will actively try to solve it, whether by drawing attention to a security impact in a product management meeting, by using secure functions and constructs while coding, by thinking up tests of security, or by consulting an expert. The vital step, therefore, is to help team members develop their sense of when security activity is needed and why: to sensitise them to security.
Development teams and departments improve practice when they work together. The four packages in this toolkit use various kinds of discussion between practitioners to sensitise them to the many security issues they will encounter. Security in the World uses a structured discussion of a real-world security incidents seen from two different points of view to promote discussion about the impact security issues have on developers and teams. Security in the Community gives pointers about how to use comment streams on Stack Overflow and other sites to learn about security issues as they intersect with common development tasks. Security and Me uses a self-assessment questionnaire to prompt reflection about individual attitudes to work and security. Security Between Us uses principles from collective security to focus discussion on active security issues between team members and between different teams.