I truly believe this is one of OWASP's biggest problems. I hear it all over the place – frustrated appsec people claiming that developers and managers are ignorant, lazy, or untrained since they don't prioritize security. But it's we, the appsec people who are ignorant, lazy, and untrained! And that's why we're failing in developer outreach. We keep going to our own conferences, pushing Powerpoint slides, discussing unsexy web 1.5 code, and still think we're on the top of the hill. We're at the bottom, guys!
I've done surveys with 200+ developers to figure out how security is prioritized. In general, this is the picture:
Software Priorities According to Developers
- Functions and features as specified or envisioned
When I tell appsec people this they typically go "Yeah! See, that's the problem. We should be much higher on that list!" No. No, no, no. We belong at level six and unless we appreciate and understand how security fits in with functions, performance, usability, uptime, and maintainability we will keep being ignored by developers.
Why? Well, a featureless system is useless. A security feature that hits performance notably is out. A system with poor usability will bring no business so usability is above security. "Uptime, hey that's a security thing!" No. Just because DoS attacks hit your uptime doesn't mean we own the issue. Many things affect uptime such as release and deploy cycles, maintainability, caching, scalability, configuration, and patching (no, not just security patching). Finally, maintainability affects ROI much more than security in the general case. Thus, security == level six.
Appsec friends, let 2011 be the year where you go to training to learn what's important in software and where security fits in the big picture. Then we won't hear anymore jokes on ignorant developers in 2012. Instead we'll be humble and get things done.