Application Security: selling the story to developers

schedule Jul 30th 02:00 - 02:30 PM place EN102 L100

How do you sell eating vegetables to a child? Application security is sexy in theory, hacking at systems, breaking in, being a rebel without a cause, but what happens when you try and roll it out to hundreds of developers who have less than no interest in embedding another tool into their software delivery lifecycle? How do you keep it sexy, interesting, engaging and make them want to use it? This is the story of what we did, what we didn’t do and what we should have done to get Appsec rolled out in an Enterprise who barely knew the definition of the word.

1 favorite thumb_down thumb_up 0 comments visibility_off  Remove from Watchlist visibility  Add to Watchlist

Outline/Structure of the Talk

What we had

  • Support from top management: why does that help, what are the benefits, what does that mean?
  • Money: no money means no chance, you need money to both buy tools and to buy resources. This is not a one man band
  • Autonomy: to make decisions within our project, within reason

What we didn’t have

  • Agile methodology across the org: half were waterfall half were agile, can’t solve every enterprise problem during a project.. so time to put your wagile hat on
  • Understanding of the org: domain knowledge. Teams we didn’t know existed, we didn’t know who wrote code and who didn’t.
  • Support of middle managers: this was something they didn’t know was coming, and given we had less than 12 months to roll out, didn’t have months or years to plan for
  • Full cross functional teams: we still depended on networking teams to do our firewall rules, design teams to approve our designs, AD teams to support our SSO integrations. Whilst we had ample capability within our team, devops, security analysts, platform engineers, we can’t always escape necessity of large enterprise

Our plan of attack

  • What we tried to do
  • Rolling out to a team a fortnight, from day 2 of project delivery seeing value and benefit

How we failed

  • Communication
  • Selling the value

How we turned it around

  • Empathy, the pain, selling the story, why do they resist? Understanding the psychology
    • Business pressure to deliver
    • No time given for security
    • No real understanding or feeling of value in contribution
  • Appsec and lunch/appsec and pizza
  • Reaching out to tech leads
  • Sitting with them one on one
  • Customising solutions where we could

Where did we get to, how did it turn out

  • Success!
  • What would we do differently lessons learnt, etc

Learning Outcome

Teach BA's, DL's and change managers things they should and shouldn't do when they try and rollout both appsec tools and general tools to developers across an organisation. Also that, without top management support, and other essentials that there's no chance of project success

Target Audience

Business analysts, Delivery leads, Change Managers

schedule Submitted 2 weeks ago

Public Feedback

comment Suggest improvements to the Speaker