Developer Security Toolkit
How the Toolkit Works
In the workplace, developers engage with security in a number of ways. Security is a part of activities in which developers are primarily users or administrators of systems that must remain secure. In these cases, they are expected to comply with policies set in their companies or by their clients.
Developers also take an active role in interpreting and enacting security policies for their companies and clients. This happens when they use secure functions and constructs while coding, but also when they design and architect solutions, or participate in product management or planning meetings.
Our research has identified that a developer responds to the security needs in these situations within common dimensions of development practice. The response is influenced by the task that must be completed, the informal, "small" problems that need to be solved, and the developer's individual orientation toward the situation. Figure 1 indicates how these aspects relate to each other in the context of a specific work episode that involves security.
Security activity in software development takes place against a backdrop of policies and measures that are defined by companies. It is vital to help developers gain a sense for how they can effectively engage with security in different situations. To do this, the four packages in this toolkit prompt various kinds of discussion between practitioners to help them effectively respond to security needs in the workplace:
- Security in the World uses a structured discussion of a real-world security incidents seen from two different points of view to promote discussion about the impact security issues have on developers and teams.
- Security in the Community gives pointers about how to use comment streams on Stack Overflow and other sites to learn about security issues as they intersect with common development tasks.
- Security and Me uses a self-assessment questionnaire to prompt reflection about individual attitudes to work and security.
- Security Between Us uses principles from collective security to focus discussion on active security issues between team members and between different teams.