Trust is one of the most important aspects of any business. When team members trust about each other, they feel comfortable opening up, taking appropriate risks and exposing their vulnerabilities; without it, teams face a lack of innovation, collaboration, creative thinking, and productivity. Software development is no exception.

Today’s software and website development teams do a great job. It goes without saying that successful teams create the highest quality products when they can trust that their teammates are carrying their own weight, holding each other accountable, and are ready to focus on problem solving to help unlock their teammates. However, historically, security teams have been seen by developers as a barrier to bringing software to market. Security teams, meanwhile, say developers aren’t listening. In reality, there is truth on both sides. To achieve a world where software is more secure, we must overcome these cultural differences.

Like many professionals, developers want to establish accountability and transparency and want people to listen, empathize, and work effectively with each other, which is not possible without trust. The question is how to establish the kind of trust necessary to guarantee secured development.

Team Building vs Principles to live by

When our tools are not well integrated, it is a reflection that our processes and our teams do not speak the same language. This leads to process inefficiencies and communication breakdowns. I propose to promote some principles to align developers and their security colleagues.

To be clear, traditional team outings and lunches continue to have their role in workplace culture. Ultimately, however, this won’t bring developers and security teams together in a meaningful way in the long run. Team building really comes down to time spent “in the trenches, shoulder to shoulder”, observing the daily tasks and behaviors of those around you. Knowing that a team member has your back covered builds confidence and frees you to voice your opinions.

To embark on the journey of establishing trust, here are five principles that developers and security teams can adopt for themselves and their organization:

  • i will tell the truth
  • I will help other members of my team succeed
  • I will practice responsibility
  • I will work with the highest levels of expectation
  • I will listen carefully to what other members of my team are saying

Imagine what your organization’s culture will look like when these principles are translated into secure coding.

Here are some examples of putting these principles into practice:

  • Developers sit down with a security architect to listen to what is being asked. If I’m a developer and don’t clearly understand a security requirement or don’t know how to test if that security requirement has been met, I will speak up immediately and not let it sit in a backlog.
  • As a developer, I will focus on the highest level of quality and refuse to take security shortcuts, like hard-coding secrets into my code.
  • Instead of the security team saying “get a security book” or “read about security and understand the details,” they could engage in constructive ways that help both teams succeed.
  • Developers could set a goal to learn something new about security every day.

If we work to build trust in our day-to-day operations, it puts everyone on the same page and we’ll get a little closer to creating secure products.

Respond to the pressure of performance in the face of security requirements

There are many frameworks that go deeper into the key values ​​and principles offered to software developers. For example, the agile manifesto has been around for several years, and we recently saw the threat modeling manifesto. These are great benchmarks, but the question developers are asking is, “What should I do with this information?” I hope that with practical guidance and deeper collaboration between security teams and developers, developers will grow and embrace security as a normal part of their job. Likewise, security teams will appreciate the challenges of developing and maintaining a complex software stack.

Software developers hold themselves responsible for the functionality and well-being of a product. But at the end of the day, developers don’t necessarily live in security, just like security professionals don’t live in code. As developers, we want to do good with our teams, our customers, and our products. We can clearly imagine our destination, but it’s the journey that we struggle to see. And that’s okay – every journey starts with a few steps, and the journey of trust is no exception.