Developers need to stop fearing the InfoSec Mafia
Sometimes it feels like your organization’s Security seems to push its way into everything: Do you want to implement a new feature, change an API? Not without security’s blessing, right? It can feel like your security team just complicates everything — and did you even really want their protection in the first place? Who are these guys to come in and force you to do things their way?
When you frame it like this, your InfoSec team sure does sound like the mafia. But here’s the big difference: we’re not adding all of these processes and overhead for our benefit — we’d be just as happy if you could secure everything on your own…
Let me keep it simple:
We are responsible for protecting your application’s users and your business’ customers, that is why we do what we do.
Still don’t believe me? Continue reading and let me see if I can change your mind.
Let’s start with the impetus for the article:
A few weeks ago, I was attending a meeting with a group of devs from across the Jet org. We (the Security Team) recently released some new team stickers to help keep security fresh on people’s minds and ensure that they know how to contact us when needed. As I handed out the stickers before the meeting, someone asked — “Cool, thanks, but what’s that catch? What do we have to do in return?” Another wisenheimer chuckled, “Pretty soon, security will be coming to ask for a favor we cannot refuse.”
Haha. Okay. I get it. Security makes a lot of requests. More requirements == more work, but then I honestly asked:
“Wait, is this how you guys really feel? Do you guys think we’re the mafia over here?”
And now, let me set the record straight:
Why is Security always showing up?
It is important to consider security throughout the SDLC (software development life-cycle). There is a strong correlation between bringing security into a project or process late and the cost and difficulty of implementing reasonable and necessary security measures. At Jet, we work hard to build relationships with our developers and business users. We also make efforts to foster open-lines of communication between everyone in the organization and our security team. This results in trust in our team and in developers considering us as their partners. We are very proud of the many positive relationships that we continue to build each day.
The environment at Jet is one where managers and developers are comfortable coming to us early when they recognize a potential security concern or question for their project. It’s easy to pop into our security team’s slack channel to ask a question (we actively monitor this channel) or to ping an individual who can help you /quickly route you to the best person to consult on your project. If it’s more involved, we try to schedule a meeting or white board session within a matter of hours or days, not weeks.
Realistically, not everyone is eager to reach out to security even when they know they should. Who wants more requirements on top of the existing backlog?! But don’t worry, just because we’re not invited doesn’t mean we won’t show up to the party. We keep our ears to the ground and our eyes on the street; we also insert ourselves into the normal flow of things to ensure we stay in the know. For example, at Jet the Design Review and Production Review processes are important gates to pass through before implementing new major functionality. And to get to that gate, you are required to formally engage security before your review session will even be scheduled. No security → no review → no go.
Now, of course you can’t catch every security bug during the design phase, so we are always scanning and pen-testing for security bugs, outdated libraries, etc. Here at Jet, we integrate our security reporting directly into our source code and project management tools. Similar to inserting ourselves at appropriate points in standard processes, reporting security issues directly where developers build their backlog gives security bugs the same visibility as other bugs, without forcing developers to consult another system. On top of these reports, we back it up with some muscle: We have formal, publicized remediation SLAs. These SLAs are regularly communicated and we actively monitor related metrics. Here at Jet, these SLAs are both reported to, and supported by, management.
The success of a security team is balancing the carrot and the stick. We want to work together, but even if you want to ignore security, security will not ignore you. But recall from the opener, we’re not doing this for nefarious purposes or to enrich ourselves. We’re not here for us — we are here for you and for the customers. We are driven by our responsibility to protect our organization’s customers. Nothing delights us more than when we find developers who share our passion and recognize we’re on the same side. And for those who have not yet come around, they know that we won’t #fuhgeddaboutit.
Why does Security ask us to do so much stuff?
Listen, security isn’t easy. We know it complicates your process to use special libraries for input and processing data, that it’s easier to hard-code secrets in your code, and that it’s a pain to manage granular permissions and data flows. But, do we really want to make it easier for the hackers (i.e., the real bad guys), too?
But again, remember, we’re on your side. While it’s not easy, we are always looking for ways to make things less hard. For example, one of our pet peeves here at Jet is hard-coded passwords, keys, and other secrets in source code: This results in secrets being spread everywhere — version control servers, your local clone, copy and pasted into emails/slack, etc. Secrets are meant to be secret™. That is why one of our major projects last year was working with our DevOps team to deploy HashiCorp vault to make it easy for our developers to build their services securely with the least amount of headaches. We also wrote software to do automatic scanning for secrets to help our developers identify and address these problems in a systematic manner, as early as possible, instead of right before you want that production review sign-off.
Here at Jet, we also do a lot of things behind the scenes when it comes to security. For instance, we try not to just dump machine output directly into findings, and instead make our findings human-readable and intelligible. We are also thinking about how developers will actually go about fixing code or a server bug, and we rack our brains trying to find strategies and tools that will make developers’ lives, not ours, easier. We want our developers to succeed, we don’t want to keep showing up when it’s least convenient. When we find ways to make it easier for developers, we’re actually better aligned with achieving our security goals.
There may come a time when Security asks you for a favor…
That time is now, and here it is: Think about protecting the security and privacy of your customers in everything you do. See, security teams everywhere are not really asking for much, we just want you to make conscious and conscientious decisions when you are creating new apps, services, and APIs. It’s tempting to prioritize algorithmic beauty, efficiency, or any number of other engineering goals — but we need you to think about the security implications of your choices. This means more than using the sanitization and filtering libraries we ask you to use; it means questioning business requirements that will lead to security or other problems. Security teams everywhere also ask you to stand your ground against requests for improper or unethical features (If you’ve never read The code I’m still ashamed of, take a moment to read it now, and remember VW’s emission scandal was enabled by software). Remember to ask “Creepy or Clever?”
InfoSec is here to protect people, we’re not the ones asking you to mix up a pair of concrete slippers.
Do you want to be sleeping with the phishes?
Don’t forget, we are doing a lot more than just looking at and securing code. Your security team is also involved in a lot of day to day, operational, and business tasks. We are helping to streamline processes and reviewing your vendor integrations and configurations to ensure they won’t hurt our systems. Don’t like getting crypto-ransomware on your workstation? Guess who is working to harden your email and to take action to block and remove phishing and spam emails — that’s right, us, Security. Sometimes we’re doing things to protect you that you may never, ever, see — and never even know about.
But hey, this is our job, and this is what we love to do! Remember, me and most of my peers didn’t choose cyber security for the glory; in the simplest terms, we’re here because we want to help keep people safe and prevent bad things from happening.
I hope that this short piece helped to change the way you look at your security team and that you maybe even acquired a new found respect for everything we do and everything that we ask you to do,
And no, you don’t have to kiss our rings.
Before you go, don’t forget to click the follow button so you always get awesome tips in your stream, and remember to click the clap button( remember you can click that clap button 50 times). Show me some love 💕!
You may also like:
If you are a security professional, hacker, or something in between — we are looking for some new members in the family. Check out some of our current open positions here at Jet and Walmart. The Walmart family of companies highly values the role that security plays in in our operations and serving our customers. This is a great place to grow your career and develop new skills, with a mix of next-gen and traditional systems.
Do you have a story about how your security team overcame negative perceptions, or things that you do that you wish were better appreciated? Share your story in the comments below!