Your Developer Security Toolkit
Empower Your Team to Deliver More Secure Software
Are you managing or supporting a software development team? Does their development have security or privacy requirements? If so, read on:
Software developers, whether programmers, testers, designers or product managers, typically make hundreds of decisions every day. Very few of those decisions have security implications. So, it is vital to help developers spot security-relevant decisions as they are encountered, to develop their sense of when security is needed and why: to sensitise them to security.
Based on ground-breaking research by the Motivating Jenny project, we offer here four packages, all designed to help sensitise development teams towards security issues in their workplace. Each has simple and complete instructions for you to use. Click to learn more and download the materials for each, or read on or explore our tweets to find out more.
How do these packages work?
Developers like to solve problems. When they identify a security problem in their environment, most developers will actively try to solve it, whether by drawing attention to a security impact in a product management meeting, by using secure functions and constructs while coding, by thinking up tests of security, or by consulting an expert. The vital step, therefore, is to help team members develop their sense of when security activity is needed and why: to sensitise them to security.
Teams and departments can improve this security awareness in their developers by having them work together. So, these four packages use various kinds of discussion between developers to sensitise them to the many security issues they will encounter. Security in the World uses a structured discussion of a real-world security incident seen from two different points of view to promote discussion of the impact security issues have and how they may be avoided. Security in the Community teaches how normal discussions on Stack Overflow and similar forums can be a way of learning about security issues, especially when there are no security experts available. Security and Me uses a profiling questionnaire to prompt discussion about individual attitudes to security. And Security between Us uses 'Serious Play' techniques to focus discussion on active security issues between team members and between different teams.