Secure Software Development Craftsmanship – It takes Champions

I don’t want to go into the increasing importance of cybersecurity and its sometimes-catastrophic consequences if it does not meet the requirements here…so much has already been said about this. Rather, in today’s blog article, I would like to focus on the measures implemented by symmedia to precisely achieve the necessary high level of cybersecurity required for our products and thus for our customers. One central measure I would like to explain here is our Software Security Champions program.

What applies to the well-known shift-left testing to improve software quality by shifting testing activities to the earliest possible phase of software development, also applies to the cybersecurity area – we are talking about Security-by-Design here. So, it’s not enough to treat cybersecurity as a downstream activity or to try to have it provided exclusively by third-party vendors. Cybersecurity must apply to everyone and must always be thought about and lived from start to finish. This requires a culture of cybersecurity in the workplace that basically makes it part of the DNA of the company. Software Security Champions (SSC’s) are the antithesis of dedicated, centralized cybersecurity teams. The basic idea is that the people who take care of security issues, are not external “bad cops”, but team members who not only have the technical expertise in software development, but also have the attitude and interest in constantly improving the security of the processes and products – so let’s call them the “good cops”.

Secure products, simply put, are the result of secure processes designed, implemented, and developed by people who have a very high awareness and motivation for cybersecurity issues. The whole thing can be well summarized under the term security culture, or, as I mentioned above, the company’s security DNA. When we talk about a good security culture at symmedia, the following aspects are important to us and we want to continuously improve them:

• The open mindset with the courage to adapt and always critically question ourselves.
• The commitment to support and promote cybersecurity at all levels and in all areas.
• The (self-)responsibility everyone takes in day-to-day operations.
• The willingness to engage in continuous training and knowledge exchange.

And these are exactly the important aspects that our Software Security Champions bring along or promote daily, thus lifting the entire organization step by step to an ever-higher level.

Let’s move from theory to practice at symmedia. As always, we start with the why. The goals we want to achieve with SSC’s can be summarized in three overarching objectives:

• Scaling security through multiple teams (vertical scaling)
• Engaging “non-security” folks (horizontal scaling)
• Creating a culture of security by making it part of our DNA

Here, you can see that meeting the first two goals is the most important prerequisite for the third goal, culture of security. We want to build enthusiasts who will establish safety awareness across all teams and then in turn build more multipliers within the teams.

So how do we get these champions? In my opinion, there are a few basic things and requirements that are needed to get people to take on the role of Software Security Champion. You can explain it very nicely by describing what you need to do to make it work, no matter what (note: the following is an antipattern):

• Nomination of employees e.g., by a supervisor.
• The employee is left in the dark about what is expected of the new role.
• Put the SSC role as on-top role to day-to-day operations role stack.

In summary, employees need initiative, intrinsic motivation, as well as clarity about their role and full support within the organization. It’s as simple as that!

Now that we’ve clarified what it takes to establish SSCs, the question is what specific tasks and responsibilities are associated with the role, so that they best support the above goals. To fill the role as effectively as possible, SSCs at symmedia are members of the software development teams. They therefore remain firmly rooted in the team’s core task of software development, while a certain amount of work time is spent, first preparing, and then filling the SSC role. We rely heavily on SSC ownership and self-organization when it comes to defining and prioritizing relevant issues and actions.

As such, they are key players in the teams, advising, challenging, and coaching all team members on security issues. The SSC’S keep abreast of current developments in software security and evaluate new tools and approaches; where possible, they introduce them into the symmedia secure software development process. In doing so, a certain degree of pragmatism is required: security must be ensured but it must not affect the functionality of our products and ongoing operations. In their role, the SSC’s also act very much as a link between the technical and non-technical areas, such as sales or IT consulting, at symmedia.

Finally, I would like to show you a few concrete measures that we have implemented as part of the SSC program and that you too can implement with little effort but great effect:

• Coding dojos with a focus on security-relevant aspects of software development
• Introduction of static source code analysis with integrated quality gates for security compliance
• Establishment of security reviews as part of team DoD/R (Definition of Done/Ready)
• Pair security code reviews
• …

There is an enormous field opening in the cybersecurity space and the threat landscape is ever increasing. We cannot change this but – we can prepare for it!
There is a danger of always thinking and wanting to implement the very big and all-encompassing solution. This often leads to getting bogged down in theoretical and far too global approaches and to designing solutions that are not practical for the people who implement them. The Software Security Champion program is an effective component of a successful bottom-up cybersecurity strategy that starts where it makes the most sense: with the people in development.

I hope this blog article of the SSH Behind-The-Scenes series has also piqued your interest and may even be the catalyst for a similar initiative.

In this sense, many kind regards

Marius

PS:
Stay tuned for more insight right here in the symZone – and if you have any questions or comments on the issue, please feel free to drop me a line: marius.burger(at)symmedia.de