How do you encourage people to do something? Make it easy. Developers too will adopt application security practices, if you make them easy. Here’s how.
What’s the best way to get people to do something really important? Obviously, you don’t yell at them about how important it is. You don’t threaten to fire them if they don’t comply. Instead, you make it easy and convenient—even intuitive.
You know, as simple as the cliché about honey and vinegar.
Or as Wendy Nather put it in one of the opening keynotes at RSA Conference 2020 in San Francisco on Tuesday, make it as simple and easy as using a spoon.
“It’s really hard to get wrong or to use it wrong,” she said. “You learn it as toddler. There’s no need for ‘spoon awareness training.’ You go anywhere in the world and nobody has to tell you how to use it.”
Unfortunately, cyber security hasn’t been nearly that simple or easy for users. And Nather, head of advisory at Cisco, was there to make the case that it ought to be both.
There has been some progress, Nather said, citing tech giant Apple as an example. The company had sought to improve security for its earlier iPhones by giving users the option of using PINs to unlock them. But few, not even the late Apple CEO Steve Jobs, would use a PIN. It wasn’t convenient.
That all changed when the company made it possible to unlock the phone with Touch ID. “Biometrics were always a thing,” she said. “But not only did they offer it, they put the biometric on the home button where the user was going to click anyway. Security was right there for them.”
She said part of the disconnect has been that “as technology professionals, we’re comfortable with a level of complexity. But users aren’t. We have to simplify,” she said, sounding a bit like Thoreau, who would likely be more than a little surprised at being invoked in any kind of technology setting.
Security policies, she said, should also be designed to be adopted, not enforced.
A major reason, she said, is that while work life used to be separate from everything else, that is much less true in the digital age. “Now we use the same stuff,” she said. “The only difference is which username you type in.”
“And workers are getting nervous about the company controlling their life. So we need to change from authoritarian to collaborative.”
Finally, Nather, like others at RSA, said making security easier and simpler would take a culture change. “You can’t shoehorn people into it. We need to bring security to them no matter what age or where they are,” she said.
All Nather’s suggestions sounded much like things that apply to software development as well. There’s been a move toward simple and easy, with application security tools that are much friendlier to developers. But much more still needs to happen.
As experts have been saying for some time, the way to get development teams to “build security in” to their code is not to browbeat them. It’s not to force them to stop what they are doing and go back to fix mistakes they made a week ago. Instead, it’s to make the secure way the simpler, easier way.
That is happening with the “shift left” philosophy in software development—bringing application security testing into the process at the start and continuing through production. It is the reason for DevSecOps, which seeks to bring together three teams that have historically been at odds, in the name of making application security better, stronger, and faster.
The toolkit for building security in is by now familiar. It includes static analysis to find software weaknesses in code, software composition analysis to find vulnerabilities in open source, IAST to spot defects during QA and functional tests, and dynamic analysis to test running applications.
The trend toward developers and engineering teams bringing application security testing into the SDLC (software development life cycle) was noted in the most recent Building Security In Maturity Model (BSIMM) report last fall.
The reality is that it is hard to make security easy. Otherwise, everybody would already be doing it. But Nather insisted it is possible.
“It’s a big undertaking,” she said. “But we can do this. Let’s do this.”
Taylor Armerding is an award-winning journalist who left the declining field of mainstream newspapers in 2011 to write in the explosively expanding field of information security. He has previously written for CSO Online and the Sophos blog Naked Security. When he’s not writing he hikes, bikes, golfs, and plays bluegrass music.