Tuesday, May 7, 2013

Avoiding the Security Gate

The worst place for a security program is to be a gate at the end.

What happens in organizations where security is seen as the final hurdle in order to launch a new service or feature? Security becomes the enemy. The development team has toiled for months to create and build the new code. They're over budget, over worked, over schedule and all they want to do now is launch. But one thing stands between them - the nod from the security team.

In this scenario the developers don't care about security. They have no interest in best practices, least privilege or layers of defense. All they want is the green check that means there code is shipped to the world.

This is not to say that developers don't care about security - in fact, I'd argue they very much do care. Instead, this is a reflection of a poorly built system that places one team in a position of superior control and results in the natural level of frustration and animosity.

If this sounds like your organization then you've done something wrong.

Over the next several posts I'll talk about avoiding the security gate and building an effective security program. We'll explore the following topics, and maybe more.
  • Team structures for security
  • Pushing security left
  • Inverting the scanning model
  • Operating at scale

Stay tuned for more...

-Michael Coates - @_mwc