Can culture change cure our secure software challenges?

No matter how much we wish for it, there really is no cure all solution to software security.

Perhaps that isn’t the inspirational opening line you were hoping for but stay with me. It’s an important premise from which we will start and to be honest, why this newsletter exists at all.

I have spent the last 20 years in the software industry. In this time I have played many roles: from software developer to tester, from penetration tester and red teamer and even had an ill-advised stint as a qualified auditor. In all this time however and despite the huge variety of roles - I can’t ignore the dissonance we have when it comes to security tools.

As software engineers, we know that its almost impossible for a tool to solve a complex issue such as preventing all security flaws in software. We know this because we build complex systems every day. Conversely, we all hope that one day, a magical solution will appear that will make this hard, unrelenting problem go away.

While dreams are free, delusions cost us dearly. Not only in terms of the money we spend on tooling every year but also in the time and energy we spend trying to make it work.  

So what if we changed the way we think about software security? What if this very technical domain has a lot more in common with our existing software challenges like scaling, performance, usability and resilience than we like to admit. What if the technology isn’t the cause at all?

I’m a strange sort of application security person. I am genuinely excited for the amazing advancements we are making in software development, across every industry. For me, we are living in an age of exploration and technological revolution, the impact of which its almost impossible to guess.

Without this industry and this great age of software, there would be no need for people like me. My role in the world exists because we are taking chances, pushing boundaries and asking “how hard can it be?”. My job (and likely yours too) is to be supporting cast to this process and help it succeed (securely).

Each week I will dig into a different part of how we secure software, with a strong focus on what we, as secure development leaders can do to make this work painless and engaging for our software teams. I will take a look at current trends and approaches, research and news items as well as sharing approaches and lessons learned from the many teams I have worked with over the years.

Together we can normalise security and make it just another part of software quality.

I hope you find this newsletter useful. Like most things, communities thrive when they are interactive so don’t be shy. If you have questions, comments or feedback - please get in touch. I’d love to hear from you.

Until next week.

Laura