• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Jeanne Boyarsky
  • Ron McLeod
  • Paul Clapham
  • Liutauras Vilda
Sheriffs:
  • paul wheaton
  • Rob Spoor
  • Devaka Cooray
Saloon Keepers:
  • Stephan van Hulst
  • Tim Holloway
  • Carey Brown
  • Frits Walraven
  • Tim Moores
Bartenders:
  • Mikalai Zaikin

How to encourage a culture of security

 
Bartender
Posts: 1849
15
Eclipse IDE Spring VI Editor Java Linux Windows
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hi Jim and August.

If you're in the role of developer on a team, how do you advocate for better security without always sounding like a "negative nancy"? As quality advocate on my team, I find myself frequently in the boat of telling folks "something's unsafe" and it gets tiring -- and I think it's tiring for others.

How do we make the experience more positive?
 
Sheriff
Posts: 17644
300
Mac Android IntelliJ IDE Eclipse IDE Spring Debian Java Ubuntu Linux
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
We had Jeff Sutherland, co-creator of Scrum, at our company earlier this week to give a talk and promote a new book of his. When asked about changing culture, he reminded us of Conway's Law and said, "You can't change culture. You can change structure. When you change structure, the culture cracks, then it reforms."

This made a lot of sense to me. If we look at current society as an example, how long has it taken for equal marriage rights to get to the level of acceptance it has now? You have to change individual attitudes and do that with enough individuals in a group to change the culture and that doesn't happen overnight. Organizational structure is something you can change (although it's usually done with a different goal in mind, not to influence security-mindedness).

I've been pushing for developers in my group to adopt TDD but I haven't had the kind of impact I'd like. Change has been mostly with the folks I work with a lot. One of my group's focus is Security. Yet, we only recently got every project compliant with a requirement to not have any kind of application password (for DB access or service requests) in clear text in source or configuration files. Ironic, right? So, I guess policy can also put pressure on folks to do the right thing but I don't think it does a lot to change culture either.

We have a "Security Advocates" special interest group in our company and these are folks who, like you, try to get the word out about security and promote secure development practices. Again, the impact the SIG has on security culture appears to be limited but I think that's just the nature of culture change: it's an evolution.

All you can do is keep fighting the good fight and keep pushing your agenda. Be that lone voice shouting in the desert if you have to be. Keep working to expand your circle of influence. Keep the pressure on and sooner or later, something has to give. When something cracks, you'll have made progress and you can start reforming.
 
Junilu Lacar
Sheriff
Posts: 17644
300
Mac Android IntelliJ IDE Eclipse IDE Spring Debian Java Ubuntu Linux
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
During the same talk, Jeff Sutherland also said "Architects should code!"

I've been saying this to people in my group for a long time. The first time I said this during our Agile Transformation kickoff meeting a couple of years ago, a bunch of architects in the room scoffed at the idea. One of them even declared "That's a joke, right? That's ridiculous!" I didn't argue with him because there was no point. Now that it's been validated by a well-known authority in Agile, I have managers pinging me and asking me what we can do to get architects to code. So maybe another way to put pressure on the group in hopes of cracking the culture and initiating reform is to bring in outside experts who can validate your agenda and spark a desire to change in others.
 
Consider Paul's rocket mass heater.
reply
    Bookmark Topic Watch Topic
  • New Topic