Inside the security community, the web application security conversation has been active for well over a decade. The ideas and techniques for identifying and exploiting vulnerabilities in web applications are well established. Active communities of vulnerability researchers work tirelessly (or at least determinedly) to identify vulnerabilities in vast quantities of modern applications. There is a massive hacker community internationally and an ever increasing number of conferences at which new ideas, tools and techniques are discussed and developed.
Security is a world of niches and specialists. Dark adventures down deep rabbit holes.
The world of the developer is a very different place.
In the development world, security is part of a much broader, more complex picture. The technology landscape is vast and rapidly evolving. It has a laundry list of challenges – from scale and stability to an ever increasing demand for new innovative features and calls for reduced costs.
From tiny applications spawned from random ideas over coffee to global enterprise applications dealing with scale and availability requirements that was unimaginable a decade before. The number of applications under active development and possible technology stack permutations are innumerable.
As security people we tend to forget about this other world. We test systems and make recommendations to address security vulnerability without any real context to support us. We demand changes and absolute control in an environment that is increasingly agile, infinitely varied and constantly changing.
We talk loudly and passionately about application security – to a room full of people who already know about it while the development community is doing the same thing next door.
Security professionals are not magicians, desperately hiding behind cheap tricks and praying nobody looks behind the curtain. We are deep technical professionals and specialists. Our methods are not the secret sauce, applying our knowledge to make things more secure is.
Whether you are a maker or a breaker, security or development – the time to work together is long overdue.
- No longer should the application security and software development operate independently of each other.
- No longer should developers feel unsupported in their efforts to improve application security.
- No longer should application security be treated as less important than or incompatible with innovation, agility or flexibility.
This is my journey.
Moving from offensive application security to application defence is like moving to a foreign country. There are fragments that are eerily familiar but you will get on a lot better if you learn the language, try to integrate with the culture and ultimately leave your assumptions behind.
Conversely, welcoming an offensive security person into your software development team may feel like inviting the wolf to your door, threatening your ability to innovate, develop and deliver in an agile way.
Feel like the challenge is too big? Feel like it’s just too much work? Think it’s not your problem?
Harden up.
Our organisations and applications are at risk. We have work to do.
