The latest collaboration on secure-by-design principles requires a significant culture shift. Are you ready?
The recent development of secure-by-design principles put forward by nations comprising The Quad: Australia, the United States, Japan, and India, signals not just a welcome change to the status quo, but something of a commitment to pushing for higher standards in secure software production across the board.
For decades, we have contended with the same code-level vulnerabilities, and we need a united front by those who have the power to enact meaningful change if we are to see these reduced in any significant way. These joint principles at least set some expectations for securing software, as well as acknowledge the human element at play when it comes to vulnerabilities and access control issues being introduced in the first place.
Australian Department of Home Affairs Secretary Mike Pezzullo has put vendors on notice, stating: “If I was looking to vend to the government, I’d be reading those principles to say, ‘If the government’s not going to tolerate high-risk software in the development of code that is in services and products that I vend to government, then as a vendor I need to smarten up’.” He also flagged the possibility that these will extend beyond government parameters to banking and telcos before long.
The onus being placed on vendors is a tough one, but the uncomfortable truth is that it should have always been on us to ship secure software, and act with stringent software safety and quality measures no matter the customer involved.
Recommended by LinkedIn
We should want to create the most secure, robust software possible, and we should view this push toward radical transparency as a boon to vendors and clients alike. It is definitely a mark of value to showcase the company’s security prowess, and brand trust and reputation are everything in this hyper-competitive arena.
I believe the first step is for all of us to stop passing the buck, and assume responsibility for data privacy, protection, and software resilience. This is as much an opportunity as it is a burden, and will require a significant culture shift that places engineering in the prime spot to be the security heroes of tomorrow.
Security-aware developers are too often the missing ingredient in a thriving security program, and nurturing their secure coding skills, awareness, and sense of responsibility for security is no longer an optional extra. Engaging them with right-fit tooling and agile learning solutions goes a long way in preparing them to defend the organization against the growing threat landscape, and helps raise the overall industry standard for code quality: an element we have ignored for far too long.
Custom Software, Ecommerce and Team Augmentation
1yPieter, thank you for sharing 👍