Scaling Secure Developmentby Changing the Software Culture CodeEric Baize - @ericbaize

Chairman, SAFECode - www.SAFECode.org

Vice President, Product Security - Dell EMC1

Do You Remember the 20th Century?

2

… When Security Was an Afterthought

3

IEN 149 J. Postel

RFC 765 ISI

June 1980

FILE TRANSFER PROTOCOL

INTRODUCTION

The objectives of FTP are

1) to promote sharing of

files (computer programs

and/or data), 2) to

We Have Come a Long Way

4

The Horsemen of Software Security

5

Software

Developers

Development

Organizations

Technology

Users

Software Developers

Informed Software Developers have access to knowledge, practices and tools to build secure software

Software

Developers

Development Organizations

Mature Development Organizations understand that developing secure software is both an organization commitment and a holistic process

Development

Organizations

Technology Users

Sophisticated Technology Users have access to information about vendors’ software security processes to effectively manage risk

Technology

Users

This Century’s Challenge:Software Security at Scale

9

The Vision

Changing culture among 3 stakeholder categories:

10

Software

Developers

Development

Organizations

Technology

Users

Culture Drives Communities’ Behavior

11

Culture Across Countries

“We need tough leaders who can silence the troublemakers and restore our traditional values.”

“My ancestors once lived in a golden age with glorious and beautiful achievements.”

“I can always trust the government to do what is right.”

“I believe in predestination - that all things have been divinely determined beforehand.”

(*) Source: Saucier, Gerard & … & Altschul, Carlos. (2015). Cross-Cultural Differences in a Global 'Survey of World Views'. Journal of Cross-Cultural Psychology.

Examples of Large Cross-Population Differences Between Countries (*)

10110110

011101000111010

1001110101010111000

01000111010011011101010

010101011101010100011001010

Today’s Software Culture Code

13

Software Developers: Culture Levers

• 18 million software developers across the globe

EducationTools &

Technology

• 45% have a Computer Science related undergraduate major (*)

• Consume online courses

• Heavily rely on software development tools and frameworks

(*) Stack Overflow 2017 Annual Developer Survey

Development Organizations: Culture Levers

• Leverage software to create applications, products or services that meet market needs

• May not know they have become a software company

MarketForces

QualityGovernance

• Employ and train software developers

• Govern the lifecycle and quality of their products, services or open source deliverables

HiringPractices

Technology Users: Culture Levers

ProcurementThreat

Landscape

• Buy or use products or services that address their business needs

• Have to comply with regulations

• Adapt technology strategy to the threat landscape

9 Steps to Change the Software Culture Code

17

Make software security a mandatory component of any

software engineering curriculum

Security in Software Engineering Education

Education

Train technology executives on the impact of software vulnerabilities on

world affairs and corporate reputation

Security in Technology Executive Programs

Education

Explicitly demand knowledge ofsecure development in software

engineering job postings

Security in Recruitment

HiringPractices

Track and report secure development activities as required software

engineering tasks

Security in Project Management & Governance

QualityGovernance

Record critical security vulnerabilities as Severity 1 bugs in your defect

tracking system

Security in Quality Assurance

QualityGovernance

Ask your suppliers about theirsecure development process and

governance

Security in Procurement

Procurement

Make security a feature ofIntegrated Development

Environments

Security in Software Development Tools

Tools &Technology

Leverage Artificial Intelligence and Machine Learning to create a simple-

to-use threat modeling tool

Smarter Security Tools

Tools &Technology

Invent developer-friendly programming languages and run-time environments optimized for security

Security in Computer Science Research

Tools &Technology

We all Have a Role to Play

•Reach out outside our security community

•Have a conversation about software security

•Know that you have an impact in changing the culture

27

MarketForces

QualityGovernance

HiringPractices

EducationTools &

Technology

ProcurementThreat

Landscape

Technology Users

Development Organizations

Software Developers

Thank you!

www.SAFECode.org@SAFECodelinkedin.com/company/safecode-org

28