After a number of recent high profile cyber-attacks that were made possible through vulnerability exploitations, cyber-security - and in particular, application security - is very much on the agenda of business and IT leaders.
However, building a robust application security programme requires more than awareness of the issue, and is being aggravated by a severe talent shortfall of security professionals.
While there are many great application-scanning tools on the market, building a team to effectively manage the process is proving a challenge to many. This is one issue I personally felt when I joined a large investment bank to establish its application security programme. While initially tasked to choose the best tool(s) for the job, I soon discovered I was missing an even more vital ingredient – the team.
The challenge I faced was daunting: I had little organisational knowledge and was facing potentially hostile business units and development teams. My initial view was to create a team that would be application security experts first, and let the services and policy aspects of the programme simply fall into place around them. But that plan, of course, needed revisiting.
To create a team, you need the right people. Nowhere is the chronic shortage in skills more severely felt than within the AppSec domain. AppSec requires a unique - and uncommon - combination of both information security skills and application development skills, making this shortage even more enduring.
So how did I build my team? Well, after trying a few different approaches (and making many mistakes), I'm pleased to say I did eventually get there, and hopefully this piece will help you learn from my experiences in doing so.
My initial job specification to our HR team specified “someone with 10 years software development and an interest in security, hacking or reverse engineering”, as I wanted to recruit a software developer with a security slant. I needed someone who could act in an advisory role, but have sufficient technical knowledge to ensure that our development teams would regard them as a peer and not try and hoodwink them into bypassing our controls or security requirements.
During the interview process, it became apparent that whilst I was attracting very capable people, the job specification did not meet their aspirations. Typically, they wanted to be far more “hands on” and certainly didn't want to be wrestling with policy or compliance concerns.
Our HR team therefore decided to widen the net and started bringing me traditional IT and InfoSec professionals from risk or governance or network / operations backgrounds. Whilst such individuals are extremely technically capable, I knew they would not be suitable for my team. As I expected to be spending the majority of time in conversation with developers, I needed some who knew compilers, languages, and more.
Out of necessity, I recruited some individuals I regarded as a stop-gap measure. On the face of it, they had none of the requisite skills I thought I needed – having come fresh out of university, and in some cases, without any work experience.
Once the programme commenced, it became apparent that the majority of the team's effort revolved around being able to communicate with both developers and business owners, and far less about reviewing flaws and mitigation proposals. The soft skills, such as empathy, understanding and pragmatism, were far more valuable than out-and-out technical prowess.
And this is where the new joiners really excelled: they were young and enthusiastic, very malleable in their thinking, and willing to learn and develop. In a sense, they were very much undergoing the same learning process toward application security as many of our developers. There was a shared understanding, and a willingness to cooperate and work together.
In the first two years, while our team only had a single dedicated resource (myself) with advanced skills, we were able to effectively utilise my engagement with developers. The team ensured that by the time began working directly with developers, they were fully versed in the requirements and expectations – meaning that the meetings could be highly efficient. As the programme grew in scale, we were able to leverage our consultants on an “as-needed” basis, to step in and fill any peak demand for technical consultancy.
Whilst somewhat unorthodox in approach, my decision to build a team with a relatively low technical skill base paid off. By augmenting them with deep technical skills externally on an “as needed” basis, I could circumvent the traditional problems of cyber-security recruitment and benefit from a team capable of high degrees of empathy and understanding, building stronger relationships across teams that have proved hugely beneficial to the business.
Contributed by Colin Domoney, consultant solution architect, Veracode
*Note: The views expressed in this blog are those of the author and do not necessarily reflect the views of SC Media or Haymarket Media.