SlideShare a Scribd company logo

How To "Speak Developer"

Nick Malcolm
Nick Malcolm
Nick MalcolmSecurity Consultant at Aura Information Security

First presented at AISA Cyber Conference AU in 2018. How to “Speak Developer” and Create a Winning Security Culture in Your Software Development Teams. There aren’t enough security people in the workforce to scale to the demands of our business needs, but there’s an untapped resource already sitting within our organisations: developers and testers. In this session we’ll learn how to speak their language and create a security culture which will support secure development and ultimately enable innovative practices within the business. As security professionals we often battle to make ourselves understood with developers. Maybe we’re too risk oriented. Perhaps we’re only confident talking at a network level. Or our business has adopted an agile methodology and our old practices are being seen as road blockers. Whatever the reason, we need to change the way we interact with development teams. By understanding their context, speaking their language, enabling them with tools, and being seen as a trusted advisor – not the enemy – we can move at a pace and scale where security is baked in to our development culture across the organisation. If you’re a security professional working within an organisation that does software development, or an IT manager looking to make the most of limited resources, this session is for you.

How To "Speak Developer"

1 of 150
Download to read offline
Nick Malcolm
How To “Speak Developer”
@nickmalcolm
How to “speak developer”
Why are we getting
hacked?
Why are there
vulnerabilities in my
software?
Do people come in to work thinking
“Hmmm, what buggy
software can we create
today?”
Why do penetration tests
keep finding the same
things?
Ad

Recommended

Making sure nothing is "lost in translation"
Making sure nothing is "lost in translation"Making sure nothing is "lost in translation"
Making sure nothing is "lost in translation"Paula de Matos
 
Giving able pupils a solid theoretical framework for analysing language
Giving able pupils a solid theoretical framework for analysing languageGiving able pupils a solid theoretical framework for analysing language
Giving able pupils a solid theoretical framework for analysing languageFrancis Gilbert
 
Essayorganizer2 090923170930 Phpapp02
Essayorganizer2 090923170930 Phpapp02Essayorganizer2 090923170930 Phpapp02
Essayorganizer2 090923170930 Phpapp02tiffany meade
 
Essay%20 Organizer
Essay%20 OrganizerEssay%20 Organizer
Essay%20 Organizerhhaallee
 

More Related Content

What's hot

What's hot (19)

Essay%20 Organizer
Essay%20 OrganizerEssay%20 Organizer
Essay%20 Organizer
 
Moral Fiber Organizer
Moral Fiber OrganizerMoral Fiber Organizer
Moral Fiber Organizer
 
Intro to Plain Language-for FCN Apr2012 Presentation
Intro to Plain Language-for FCN Apr2012 PresentationIntro to Plain Language-for FCN Apr2012 Presentation
Intro to Plain Language-for FCN Apr2012 Presentation
 
Myths in the Translation QA
Myths in the Translation QAMyths in the Translation QA
Myths in the Translation QA
 
Essay%20 Organizer
Essay%20 OrganizerEssay%20 Organizer
Essay%20 Organizer
 
Essay Organizer
Essay OrganizerEssay Organizer
Essay Organizer
 
Essay%20 Organizer2
Essay%20 Organizer2Essay%20 Organizer2
Essay%20 Organizer2
 
Meeting 6 team b
Meeting 6 team bMeeting 6 team b
Meeting 6 team b
 
Slideshow
SlideshowSlideshow
Slideshow
 
Essay%20 Organizer
Essay%20 OrganizerEssay%20 Organizer
Essay%20 Organizer
 
Meeting 6 team a
Meeting 6 team aMeeting 6 team a
Meeting 6 team a
 
Pro Translating Presentation
Pro Translating PresentationPro Translating Presentation
Pro Translating Presentation
 
Austin1
Austin1Austin1
Austin1
 
Austin
AustinAustin
Austin
 
Essay%20 Organizer
Essay%20 OrganizerEssay%20 Organizer
Essay%20 Organizer
 
Essay Organizer
Essay OrganizerEssay Organizer
Essay Organizer
 
Essay%20 Organizer
Essay%20 OrganizerEssay%20 Organizer
Essay%20 Organizer
 
Getting it right_english
Getting it right_englishGetting it right_english
Getting it right_english
 
Essay%20 Organizer
Essay%20 OrganizerEssay%20 Organizer
Essay%20 Organizer
 

Similar to How To "Speak Developer"

Writing for Developers: Some Rational Techniques (YUIConf 2012)
Writing for Developers: Some Rational Techniques (YUIConf 2012)Writing for Developers: Some Rational Techniques (YUIConf 2012)
Writing for Developers: Some Rational Techniques (YUIConf 2012)evangoer
 
ConveyUX Elegant Precision
ConveyUX Elegant PrecisionConveyUX Elegant Precision
ConveyUX Elegant Precisionlaurentgc
 
Watch your language, young man!
Watch your language, young man!Watch your language, young man!
Watch your language, young man!Paweł Wacławczyk
 
Build your own Language - Why and How?
Build your own Language - Why and How?Build your own Language - Why and How?
Build your own Language - Why and How?Markus Voelter
 
The Ruby Programming Language: Or, Why are you wasting brain power?
The Ruby Programming Language: Or, Why are you wasting brain power?The Ruby Programming Language: Or, Why are you wasting brain power?
The Ruby Programming Language: Or, Why are you wasting brain power?Vishnu Gopal
 
Language: Your Organization's Most Important and Least Valued Asset (Confab 2...
Language: Your Organization's Most Important and Least Valued Asset (Confab 2...Language: Your Organization's Most Important and Least Valued Asset (Confab 2...
Language: Your Organization's Most Important and Least Valued Asset (Confab 2...Abby Covert
 
Language Learning & Technology with Young Learners
Language Learning & Technology with Young LearnersLanguage Learning & Technology with Young Learners
Language Learning & Technology with Young LearnersGraham Stanley
 
Language: Your Organization's Most Important and Least Valued Asset
Language: Your Organization's Most Important and Least Valued AssetLanguage: Your Organization's Most Important and Least Valued Asset
Language: Your Organization's Most Important and Least Valued AssetAbby Covert
 
NOVA Data Science Meetup 1/19/2017 - Presentation 2
NOVA Data Science Meetup 1/19/2017 - Presentation 2NOVA Data Science Meetup 1/19/2017 - Presentation 2
NOVA Data Science Meetup 1/19/2017 - Presentation 2NOVA DATASCIENCE
 
Deep network notes.pdf
Deep network notes.pdfDeep network notes.pdf
Deep network notes.pdfRamya Nellutla
 
Speech recognition - Art of the possible
Speech recognition - Art of the possibleSpeech recognition - Art of the possible
Speech recognition - Art of the possibleJisc
 
Speech Recognition: Art of the possible - DigiFest 2022
Speech Recognition: Art of the possible - DigiFest 2022Speech Recognition: Art of the possible - DigiFest 2022
Speech Recognition: Art of the possible - DigiFest 2022Dominik Lukes
 
Speech Recognition: Art of the possible - DigiFest 2022
Speech Recognition: Art of the possible - DigiFest 2022Speech Recognition: Art of the possible - DigiFest 2022
Speech Recognition: Art of the possible - DigiFest 2022Dominik Lukes
 
Best Practices for Designing High-Fidelity Voice Experiences
Best Practices for Designing High-Fidelity Voice ExperiencesBest Practices for Designing High-Fidelity Voice Experiences
Best Practices for Designing High-Fidelity Voice ExperiencesPullString
 
Gadgets pwn us? A pattern language for CALL
Gadgets pwn us? A pattern language for CALLGadgets pwn us? A pattern language for CALL
Gadgets pwn us? A pattern language for CALLLawrie Hunter
 

Similar to How To "Speak Developer" (20)

Writing for Developers: Some Rational Techniques (YUIConf 2012)
Writing for Developers: Some Rational Techniques (YUIConf 2012)Writing for Developers: Some Rational Techniques (YUIConf 2012)
Writing for Developers: Some Rational Techniques (YUIConf 2012)
 
ConveyUX Elegant Precision
ConveyUX Elegant PrecisionConveyUX Elegant Precision
ConveyUX Elegant Precision
 
Watch your language, young man!
Watch your language, young man!Watch your language, young man!
Watch your language, young man!
 
Build your own Language - Why and How?
Build your own Language - Why and How?Build your own Language - Why and How?
Build your own Language - Why and How?
 
The Ruby Programming Language: Or, Why are you wasting brain power?
The Ruby Programming Language: Or, Why are you wasting brain power?The Ruby Programming Language: Or, Why are you wasting brain power?
The Ruby Programming Language: Or, Why are you wasting brain power?
 
Language: Your Organization's Most Important and Least Valued Asset (Confab 2...
Language: Your Organization's Most Important and Least Valued Asset (Confab 2...Language: Your Organization's Most Important and Least Valued Asset (Confab 2...
Language: Your Organization's Most Important and Least Valued Asset (Confab 2...
 
Language Learning & Technology with Young Learners
Language Learning & Technology with Young LearnersLanguage Learning & Technology with Young Learners
Language Learning & Technology with Young Learners
 
Language: Your Organization's Most Important and Least Valued Asset
Language: Your Organization's Most Important and Least Valued AssetLanguage: Your Organization's Most Important and Least Valued Asset
Language: Your Organization's Most Important and Least Valued Asset
 
NOVA Data Science Meetup 1/19/2017 - Presentation 2
NOVA Data Science Meetup 1/19/2017 - Presentation 2NOVA Data Science Meetup 1/19/2017 - Presentation 2
NOVA Data Science Meetup 1/19/2017 - Presentation 2
 
Python overview
Python overviewPython overview
Python overview
 
Ijet Talk
Ijet TalkIjet Talk
Ijet Talk
 
Deep network notes.pdf
Deep network notes.pdfDeep network notes.pdf
Deep network notes.pdf
 
There's an app for that new
There's an app for that  new  There's an app for that  new
There's an app for that new
 
Speech recognition - Art of the possible
Speech recognition - Art of the possibleSpeech recognition - Art of the possible
Speech recognition - Art of the possible
 
Speech Recognition: Art of the possible - DigiFest 2022
Speech Recognition: Art of the possible - DigiFest 2022Speech Recognition: Art of the possible - DigiFest 2022
Speech Recognition: Art of the possible - DigiFest 2022
 
Speech Recognition: Art of the possible - DigiFest 2022
Speech Recognition: Art of the possible - DigiFest 2022Speech Recognition: Art of the possible - DigiFest 2022
Speech Recognition: Art of the possible - DigiFest 2022
 
Best Practices for Designing High-Fidelity Voice Experiences
Best Practices for Designing High-Fidelity Voice ExperiencesBest Practices for Designing High-Fidelity Voice Experiences
Best Practices for Designing High-Fidelity Voice Experiences
 
Rapid prototyping
Rapid prototypingRapid prototyping
Rapid prototyping
 
DDD Introduction
DDD IntroductionDDD Introduction
DDD Introduction
 
Gadgets pwn us? A pattern language for CALL
Gadgets pwn us? A pattern language for CALLGadgets pwn us? A pattern language for CALL
Gadgets pwn us? A pattern language for CALL
 

More from Nick Malcolm

A Recipe for Password Storage: Add Salt to Taste
A Recipe for Password Storage: Add Salt to TasteA Recipe for Password Storage: Add Salt to Taste
A Recipe for Password Storage: Add Salt to TasteNick Malcolm
 
How To Spot a Wolf in Sheep's Clothing (a.k.a. Account Takeover)
How To Spot a Wolf in Sheep's Clothing (a.k.a. Account Takeover)How To Spot a Wolf in Sheep's Clothing (a.k.a. Account Takeover)
How To Spot a Wolf in Sheep's Clothing (a.k.a. Account Takeover)Nick Malcolm
 
All aboard the Cyber Security Rollercoaster!
All aboard the Cyber Security Rollercoaster!All aboard the Cyber Security Rollercoaster!
All aboard the Cyber Security Rollercoaster!Nick Malcolm
 
Timing Attacks and Ruby on Rails
Timing Attacks and Ruby on RailsTiming Attacks and Ruby on Rails
Timing Attacks and Ruby on RailsNick Malcolm
 
Protecting the Front Door
Protecting the Front DoorProtecting the Front Door
Protecting the Front DoorNick Malcolm
 
Adding Two Factor Authentication to your App with Authy
Adding Two Factor Authentication to your App with AuthyAdding Two Factor Authentication to your App with Authy
Adding Two Factor Authentication to your App with AuthyNick Malcolm
 
Our CloudFlare experience
Our CloudFlare experienceOur CloudFlare experience
Our CloudFlare experienceNick Malcolm
 

More from Nick Malcolm (7)

A Recipe for Password Storage: Add Salt to Taste
A Recipe for Password Storage: Add Salt to TasteA Recipe for Password Storage: Add Salt to Taste
A Recipe for Password Storage: Add Salt to Taste
 
How To Spot a Wolf in Sheep's Clothing (a.k.a. Account Takeover)
How To Spot a Wolf in Sheep's Clothing (a.k.a. Account Takeover)How To Spot a Wolf in Sheep's Clothing (a.k.a. Account Takeover)
How To Spot a Wolf in Sheep's Clothing (a.k.a. Account Takeover)
 
All aboard the Cyber Security Rollercoaster!
All aboard the Cyber Security Rollercoaster!All aboard the Cyber Security Rollercoaster!
All aboard the Cyber Security Rollercoaster!
 
Timing Attacks and Ruby on Rails
Timing Attacks and Ruby on RailsTiming Attacks and Ruby on Rails
Timing Attacks and Ruby on Rails
 
Protecting the Front Door
Protecting the Front DoorProtecting the Front Door
Protecting the Front Door
 
Adding Two Factor Authentication to your App with Authy
Adding Two Factor Authentication to your App with AuthyAdding Two Factor Authentication to your App with Authy
Adding Two Factor Authentication to your App with Authy
 
Our CloudFlare experience
Our CloudFlare experienceOur CloudFlare experience
Our CloudFlare experience
 

Recently uploaded

5 Things You Shouldn’t Do at Salesforce World Tour Sydney 2024!
5 Things You Shouldn’t Do at Salesforce World Tour Sydney 2024!5 Things You Shouldn’t Do at Salesforce World Tour Sydney 2024!
5 Things You Shouldn’t Do at Salesforce World Tour Sydney 2024!XfilesPro
 
Z-Wave Fan coil Thermostat Heltun_HE-HT01_User_Manual.pdf
Z-Wave Fan coil Thermostat Heltun_HE-HT01_User_Manual.pdfZ-Wave Fan coil Thermostat Heltun_HE-HT01_User_Manual.pdf
Z-Wave Fan coil Thermostat Heltun_HE-HT01_User_Manual.pdfDomotica daVinci
 
Enhancing SaaS Performance: A Hands-on Workshop for Partners
Enhancing SaaS Performance: A Hands-on Workshop for PartnersEnhancing SaaS Performance: A Hands-on Workshop for Partners
Enhancing SaaS Performance: A Hands-on Workshop for PartnersThousandEyes
 
Introduction to Multimodal LLMs with LLaVA
Introduction to Multimodal LLMs with LLaVAIntroduction to Multimodal LLMs with LLaVA
Introduction to Multimodal LLMs with LLaVARobert McDermott
 
Breaking Barriers & Leveraging the Latest Developments in AI Technology
Breaking Barriers & Leveraging the Latest Developments in AI TechnologyBreaking Barriers & Leveraging the Latest Developments in AI Technology
Breaking Barriers & Leveraging the Latest Developments in AI TechnologySafe Software
 
Zi-Stick UBS Dongle ZIgbee from Aeotec manual
Zi-Stick UBS Dongle ZIgbee from  Aeotec manualZi-Stick UBS Dongle ZIgbee from  Aeotec manual
Zi-Stick UBS Dongle ZIgbee from Aeotec manualDomotica daVinci
 
Act Like an Owner, Challenge Like a VC by former CPO, Tripadvisor
Act Like an Owner, Challenge Like a VC by former CPO, TripadvisorAct Like an Owner, Challenge Like a VC by former CPO, Tripadvisor
Act Like an Owner, Challenge Like a VC by former CPO, TripadvisorProduct School
 
Early Tech Adoption: Foolish or Pragmatic? - 17th ISACA South Florida WOW Con...
Early Tech Adoption: Foolish or Pragmatic? - 17th ISACA South Florida WOW Con...Early Tech Adoption: Foolish or Pragmatic? - 17th ISACA South Florida WOW Con...
Early Tech Adoption: Foolish or Pragmatic? - 17th ISACA South Florida WOW Con...Adrian Sanabria
 
Introduction to Serverless with AWS Lambda in C#.pptx
Introduction to Serverless with AWS Lambda in C#.pptxIntroduction to Serverless with AWS Lambda in C#.pptx
Introduction to Serverless with AWS Lambda in C#.pptxBrandon Minnick, MBA
 
Q1 Memory Fabric Forum: Intel Enabling Compute Express Link (CXL)
Q1 Memory Fabric Forum: Intel Enabling Compute Express Link (CXL)Q1 Memory Fabric Forum: Intel Enabling Compute Express Link (CXL)
Q1 Memory Fabric Forum: Intel Enabling Compute Express Link (CXL)Memory Fabric Forum
 
"The Transformative Power of AI and Open Challenges" by Dr. Manish Gupta, Google
"The Transformative Power of AI and Open Challenges" by Dr. Manish Gupta, Google"The Transformative Power of AI and Open Challenges" by Dr. Manish Gupta, Google
"The Transformative Power of AI and Open Challenges" by Dr. Manish Gupta, GoogleISPMAIndia
 
Manual Eurotronic Thermostatic Valve Comry Z-Wave
Manual Eurotronic Thermostatic Valve Comry Z-WaveManual Eurotronic Thermostatic Valve Comry Z-Wave
Manual Eurotronic Thermostatic Valve Comry Z-WaveDomotica daVinci
 
From eSIMs to iSIMs: It’s Inside the Manufacturing
From eSIMs to iSIMs: It’s Inside the ManufacturingFrom eSIMs to iSIMs: It’s Inside the Manufacturing
From eSIMs to iSIMs: It’s Inside the ManufacturingSoracom Global, Inc.
 
Microsoft Azure News - Feb 2024
Microsoft Azure News - Feb 2024Microsoft Azure News - Feb 2024
Microsoft Azure News - Feb 2024Daniel Toomey
 
My self introduction to know others abut me
My self  introduction to know others abut meMy self  introduction to know others abut me
My self introduction to know others abut meManoj Prabakar B
 
Artificial-Intelligence-in-Marketing-Data.pdf
Artificial-Intelligence-in-Marketing-Data.pdfArtificial-Intelligence-in-Marketing-Data.pdf
Artificial-Intelligence-in-Marketing-Data.pdfIsidro Navarro
 
2024 February Patch Tuesday
2024 February Patch Tuesday2024 February Patch Tuesday
2024 February Patch TuesdayIvanti
 
Dynamical systems simulation in Python for science and engineering
Dynamical systems simulation in Python for science and engineeringDynamical systems simulation in Python for science and engineering
Dynamical systems simulation in Python for science and engineeringMassimo Talia
 
"Running Open-Source LLM models on Kubernetes", Volodymyr Tsap
"Running Open-Source LLM models on Kubernetes",  Volodymyr Tsap"Running Open-Source LLM models on Kubernetes",  Volodymyr Tsap
"Running Open-Source LLM models on Kubernetes", Volodymyr TsapFwdays
 
My sample product research idea for you!
My sample product research idea for you!My sample product research idea for you!
My sample product research idea for you!KivenRaySarsaba
 

Recently uploaded (20)

5 Things You Shouldn’t Do at Salesforce World Tour Sydney 2024!
5 Things You Shouldn’t Do at Salesforce World Tour Sydney 2024!5 Things You Shouldn’t Do at Salesforce World Tour Sydney 2024!
5 Things You Shouldn’t Do at Salesforce World Tour Sydney 2024!
 
Z-Wave Fan coil Thermostat Heltun_HE-HT01_User_Manual.pdf
Z-Wave Fan coil Thermostat Heltun_HE-HT01_User_Manual.pdfZ-Wave Fan coil Thermostat Heltun_HE-HT01_User_Manual.pdf
Z-Wave Fan coil Thermostat Heltun_HE-HT01_User_Manual.pdf
 
Enhancing SaaS Performance: A Hands-on Workshop for Partners
Enhancing SaaS Performance: A Hands-on Workshop for PartnersEnhancing SaaS Performance: A Hands-on Workshop for Partners
Enhancing SaaS Performance: A Hands-on Workshop for Partners
 
Introduction to Multimodal LLMs with LLaVA
Introduction to Multimodal LLMs with LLaVAIntroduction to Multimodal LLMs with LLaVA
Introduction to Multimodal LLMs with LLaVA
 
Breaking Barriers & Leveraging the Latest Developments in AI Technology
Breaking Barriers & Leveraging the Latest Developments in AI TechnologyBreaking Barriers & Leveraging the Latest Developments in AI Technology
Breaking Barriers & Leveraging the Latest Developments in AI Technology
 
Zi-Stick UBS Dongle ZIgbee from Aeotec manual
Zi-Stick UBS Dongle ZIgbee from  Aeotec manualZi-Stick UBS Dongle ZIgbee from  Aeotec manual
Zi-Stick UBS Dongle ZIgbee from Aeotec manual
 
Act Like an Owner, Challenge Like a VC by former CPO, Tripadvisor
Act Like an Owner, Challenge Like a VC by former CPO, TripadvisorAct Like an Owner, Challenge Like a VC by former CPO, Tripadvisor
Act Like an Owner, Challenge Like a VC by former CPO, Tripadvisor
 
Early Tech Adoption: Foolish or Pragmatic? - 17th ISACA South Florida WOW Con...
Early Tech Adoption: Foolish or Pragmatic? - 17th ISACA South Florida WOW Con...Early Tech Adoption: Foolish or Pragmatic? - 17th ISACA South Florida WOW Con...
Early Tech Adoption: Foolish or Pragmatic? - 17th ISACA South Florida WOW Con...
 
Introduction to Serverless with AWS Lambda in C#.pptx
Introduction to Serverless with AWS Lambda in C#.pptxIntroduction to Serverless with AWS Lambda in C#.pptx
Introduction to Serverless with AWS Lambda in C#.pptx
 
Q1 Memory Fabric Forum: Intel Enabling Compute Express Link (CXL)
Q1 Memory Fabric Forum: Intel Enabling Compute Express Link (CXL)Q1 Memory Fabric Forum: Intel Enabling Compute Express Link (CXL)
Q1 Memory Fabric Forum: Intel Enabling Compute Express Link (CXL)
 
"The Transformative Power of AI and Open Challenges" by Dr. Manish Gupta, Google
"The Transformative Power of AI and Open Challenges" by Dr. Manish Gupta, Google"The Transformative Power of AI and Open Challenges" by Dr. Manish Gupta, Google
"The Transformative Power of AI and Open Challenges" by Dr. Manish Gupta, Google
 
Manual Eurotronic Thermostatic Valve Comry Z-Wave
Manual Eurotronic Thermostatic Valve Comry Z-WaveManual Eurotronic Thermostatic Valve Comry Z-Wave
Manual Eurotronic Thermostatic Valve Comry Z-Wave
 
From eSIMs to iSIMs: It’s Inside the Manufacturing
From eSIMs to iSIMs: It’s Inside the ManufacturingFrom eSIMs to iSIMs: It’s Inside the Manufacturing
From eSIMs to iSIMs: It’s Inside the Manufacturing
 
Microsoft Azure News - Feb 2024
Microsoft Azure News - Feb 2024Microsoft Azure News - Feb 2024
Microsoft Azure News - Feb 2024
 
My self introduction to know others abut me
My self  introduction to know others abut meMy self  introduction to know others abut me
My self introduction to know others abut me
 
Artificial-Intelligence-in-Marketing-Data.pdf
Artificial-Intelligence-in-Marketing-Data.pdfArtificial-Intelligence-in-Marketing-Data.pdf
Artificial-Intelligence-in-Marketing-Data.pdf
 
2024 February Patch Tuesday
2024 February Patch Tuesday2024 February Patch Tuesday
2024 February Patch Tuesday
 
Dynamical systems simulation in Python for science and engineering
Dynamical systems simulation in Python for science and engineeringDynamical systems simulation in Python for science and engineering
Dynamical systems simulation in Python for science and engineering
 
"Running Open-Source LLM models on Kubernetes", Volodymyr Tsap
"Running Open-Source LLM models on Kubernetes",  Volodymyr Tsap"Running Open-Source LLM models on Kubernetes",  Volodymyr Tsap
"Running Open-Source LLM models on Kubernetes", Volodymyr Tsap
 
My sample product research idea for you!
My sample product research idea for you!My sample product research idea for you!
My sample product research idea for you!
 

How To "Speak Developer"

Editor's Notes

  1. I want to start by asking some questions. Aimed at InfoSec professionals working in organisations with software development teams
  2. Do people come
  3. Do people come in to work thinking “hmmm, what buggy code can I write today?”
  4. As information security professionals working in organisations with software teams, these questions come up all the time.
  5. Security teams feel under resourced, overcommitted, with incidents and questions and reports flying in from all over
  6. I think there’s a language barrier. You might think so too, if the title of my talk drew you here. This isn’t a new idea.
  7. But I do think it’s our responsibility as information security professionals, to break that barrier. It’s on us. Not development teams, although their involvement is crucial. Ultimately we have the skills and knowledge that needs to be translated in to something they can understand and be empowered to run with themselves.
  8. We need to learn how to speak developer
  9. We need to learn how to speak developer
  10. We need to learn how to speak developer
  11. 6 years as a ruby on rails developer 2 years in information security. I spend most of my working week trying to do exactly this. I’ve been on the other side of the fence, and now it’s my job to empower and work alongside organisation and development teams to improve their security maturity.
  12. There are three things I think are a crucial starting point, and we’ll talk through these today. 1) Understand how they perceive us, and what their working styles are. What drives them? 2) Observe how they interact with each other, and where, and then join in. Be present. Be transparent. Include them. 3) Don’t speak to them at the end of a project, speak at the start and throughout. Make it easy for them to choose secure paths by providing guidance at the right time and in the right way
  13. There are three things I think are a crucial starting point, and we’ll talk through these today. 1) Understand how they perceive us, and what their working styles are. What drives them? 2) Observe how they interact with each other, and where, and then join in. Be present. Be transparent. Include them. 3) Don’t speak to them at the end of a project, speak at the start and throughout. Make it easy for them to choose secure paths by providing guidance at the right time and in the right way
  14. There are three things I think are a crucial starting point, and we’ll talk through these today. 1) Understand how they perceive us, and what their working styles are. What drives them? 2) Observe how they interact with each other, and where, and then join in. Be present. Be transparent. Include them. 3) Don’t speak to them at the end of a project, speak at the start and throughout. Make it easy for them to choose secure paths by providing guidance at the right time and in the right way
  15. There are three things I think are a crucial starting point, and we’ll talk through these today. 1) Understand how they perceive us, and what their working styles are. What drives them? 2) Observe how they interact with each other, and where, and then join in. Be present. Be transparent. Include them. 3) Don’t speak to them at the end of a project, speak at the start and throughout. Make it easy for them to choose secure paths by providing guidance at the right time and in the right way
  16. Before we can understand their context and learn their language, let’s think about how they might perceive us. What lens do they see security through, at the moment?
  17. Before we can understand their context and learn their language, let’s think about how they might perceive us. What lens do they see security through, at the moment?
  18. Too often we’re seen as people who say no all the time. We’re in too late in the project. Don’t have time to do anything except pull the handbrake.
  19. Perhaps we put barriers in the way to try and give ourselves some breathing space. We delay project timelines and become a source of friction, a hurdle to be overcome or smashed through.
  20. Another approach is to throw a book of requirements at them. We leave it to them to figure out what’s relevant and what’s not. If they miss Section 54 Point 12 Subsection D and overlook a requirement, we can pass the blame and say “told you so”. https://media.giphy.com/media/8Ue8ekoT67ylq/giphy.gif
  21. Ego Patronizing Jargon – it’s easy to overcomplicate language, and can be a way of posturing power dynamics Forcing every change to go through them
  22. How do they perceive us?
  23. Whether their perception is fair or right doesn’t matter.
  24. There is something called the Actor-Observer bias. Where we attribute other people’s behaviour to something intrinsic to them, and our behaviour to things we can’t control. There’s a thing called the “Actor-Observer Bias”…
  25. Before we can start to speak their language, we need to recognise our own biases that might prevent us from putting in the effort. Most people don’t come to work wanting to do a bad job and build buggy apps.
  26. Now that we’re more aware of their context and our own context, let’s look at the context of how they work. We don’t want to try and force a square peg through a round hole. Are they working with waterfall, agile, devops, something in between?
  27. Pitch your security requirements at the right level. Understand what their levels are.
  28. Pitch your security requirements at the right level. Understand what their levels are.
  29. If you don’t influence the refinement of a story, or get security into the definition of ready, things will be done without security involvement. If you can’t fit in to this workflow, it’s likely that you’ll cause friction in your team.
  30. If you don’t influence the refinement of a story, or get security into the definition of ready, things will be done without security involvement. If you can’t fit in to this workflow, it’s likely that you’ll cause friction in your team.
  31. Respect their time and agenda Don’t hijack their story refinement sessions in to a “tell security what you’ve been doing for the last month”
  32. Stories: Design Reviews Threat Modelling, Pen test, etc
  33. This is an important spot to get in to
  34. How fast are they trying to deliver? Where are their sources of friction? Are these changing? What metrics are important to them? How can you build that into your own success metrics? Adopt their language of success.
  35. How fast are they trying to deliver? Where are their sources of friction? Are these changing? What metrics are important to them? How can you build that into your own success metrics? Adopt their language of success.
  36. Don’t focus just on the number of findings. The focus initially should be proving that security tools can be added to the pipeline and add value without dragging down velocity.
  37. What are the injection points where you can get in early, with just the right amount of effort to say the right thing.
  38. Identify and start with the “star” teams, so others are led by example. Then work with the “worst” team. By working at both ends of the scale, the median will rise. If you can establish a relationship with both of those teams, you’ll have learnt an awful lot about how to work best with the other teams.
  39. Graph of using outliers to shift norm
  40. Graph of using outliers to shift norm
  41. There are theories on how we learn language, and imitation is one we can understand. When you hear a young child learning to talk, imitation is so common. Trial and error. Repetition. The same applies to us when we’re learning the language of our developers.
  42. There are theories on how we learn language, and imitation is one we can understand. When you hear a young child learning to talk, imitation is so common. Trial and error. Repetition. The same applies to us when we’re learning the language of our developers.
  43. If you’re seen as an outsider, own it! Poke fun at yourself. https://media.giphy.com/media/Exs0D5k1MpoRO/giphy.gif
  44. If someone does a good job, praise them
  45. Drake meme
  46. If you have to use a ban hammer, at least make it fun!
  47. If they’re invovled in the Software Development Lifecycle, they’re “developers”!
  48. Silos exist. You need to know if things are being ”thrown over the fence”, and should make it part of your job to make sure everyone is aware of their roles and responsibilities.
  49. When you’re working on something that effects them, include them!
  50. Get involved in onboarding. Ask to go to team meetings. Let them know you’re approachable, reasonable, not scary, not here to say no. If they use a chatroom, hang out in there sometimes so that you’re part of the team. Have office hours at least. A couple of hours a week where you clear your schedule to be available. Let them know when you’re free and when you’re not, so they can time things to match.
  51. Get involved in onboarding. Ask to go to team meetings. Let them know you’re approachable, reasonable, not scary, not here to say no. If they use a chatroom, hang out in there sometimes so that you’re part of the team. Have office hours at least. A couple of hours a week where you clear your schedule to be available. Let them know when you’re free and when you’re not, so they can time things to match.
  52. Penetration tests aren’t a big hammer to whack teams with You need to translate the findings into something they can understand and learn from Track the categories of bugs, so that they know where to focus
  53. Policies, Standards, Guidelines need to meet these three criteria to be useful to development teams. Anything else is a hurdle to be avoided, a time sink where effort expended exceeds value gained.
  54. Policies, Standards, Guidelines need to meet these three criteria to be useful to development teams. Anything else is a hurdle to be avoided, a time sink where effort expended exceeds value gained.
  55. Policies, Standards, Guidelines need to meet these three criteria to be useful to development teams. Anything else is a hurdle to be avoided, a time sink where effort expended exceeds value gained.
  56. Policies, Standards, Guidelines need to meet these three criteria to be useful to development teams. Anything else is a hurdle to be avoided, a time sink where effort expended exceeds value gained.
  57. Why do developers love SO? Because you can copy paste code that probably works. As security people, we know that code is often buggy or vulnerable in certain contexts.
  58. Build your own go-to library where the right thing is just a copy-paste away. Let teams build on these, and create new ones. Have more than just code, have unit and integration test cases that testers can run with too. Mention pen tests again
  59. If your teams are creating Epics, get in early with some questions. Here are three, but you should aim to ask about 10 questions. They should be able to answer them themselves
  60. If your teams are creating Epics, get in early with some questions. Here are three, but you should aim to ask about 10 questions. They should be able to answer them themselves
  61. If your teams are creating Epics, get in early with some questions. Here are three, but you should aim to ask about 10 questions. They should be able to answer them themselves
  62. Empowered to do the right thing, and empowered to call things out when they look weird
  63. Empowered to do the right thing, and empowered to call things out when they look weird
  64. Empowered to do the right thing, and empowered to call things out when they look weird
  65. Tools to help them move faster
  66. Empowered to do the right thing, and empowered to call things out when they look weird
  67. You trust them to do the right thing, and they trust you when you say something really ought to be done
  68. Empowered to do the right thing, and empowered to call things out when they look weird
  69. Easy to understand. Easy to act.
  70. Easy to understand. Easy to act.
  71. It’s hard to learn a language, so allow yourself time. Don’t be surprised if it’s a slow process. Language is hard to learn, and trust can be hard to gain.
  72. We all know that talks are sometimes the most useless part of going to a conference, and I won't presume I've done a great job myself. But take a look around you. You've all just spent 40 minutes in the same room, hopefully because this topic means something to you. As you leave to enjoy the rest of the conference, take the time to ask to ask others how they approach this issue. How they work with and empower their development teams. What ideas sparked out of this talk for you? What could you learn from others in the same position as you? Or from those who have already made some progress? Share your learnings with others. Use each other to raise the bar. And together we can weave security into the fabric of all we do. Thank you.
  73. We all know that talks are sometimes the most useless part of going to a conference, and I won't presume I've done a great job myself. But take a look around you. You've all just spent 40 minutes in the same room, hopefully because this topic means something to you. As you leave to enjoy the rest of the conference, take the time to ask to ask others how they approach this issue. How they work with and empower their development teams. What ideas sparked out of this talk for you? What could you learn from others in the same position as you? Or from those who have already made some progress? Share your learnings with others. Use each other to raise the bar. And together we can weave security into the fabric of all we do. Thank you.
  74. We all know that talks are sometimes the most useless part of going to a conference, and I won't presume I've done a great job myself. But take a look around you. You've all just spent 40 minutes in the same room, hopefully because this topic means something to you. As you leave to enjoy the rest of the conference, take the time to ask to ask others how they approach this issue. How they work with and empower their development teams. What ideas sparked out of this talk for you? What could you learn from others in the same position as you? Or from those who have already made some progress? Share your learnings with others. Use each other to raise the bar. And together we can weave security into the fabric of all we do. Thank you.