At first, the title of this blog sounds like an excuse. It’s that sentence that almost every company uses ‘after’ they got hacked. (Don’t worry, we didn’t!). According to me it’s a bad excuse if you present it after everything has fallen apart and only then start working on Security. It’s something you need to work on every day. And once you think you’re doing fine, you probably still need to speed up, because attackers continuously improve their skills too.
Although we have no intention of getting hacked anytime soon, we’d like to share with you some of the Serious things we’re doing to take care of your Security. Today the first of three blog posts, in which we’ll talk about awareness and training.
Awareness and Education
At TOPdesk we think delivering secure software is not something that’s taken care of by a few specialists in some Security team. It can only be reached if all departments work together and understand what Security means. That’s why a few years ago we started a Security Guild at TOPdesk, in which we bring together Security minded people from different departments and different international offices. Together they have the expertise and the different perspectives to take up this challenge, and do what is needed to protect our customers’ data.
One of the most important goals of this Guild, is to spread awareness about Security. Everyone, inside and outside of the Guild, should know about the risks and why we need to improve data protection. Although the education and awareness is often aimed at Developers, our Support staff are getting a lot of attention too. They need to be instantly triggered when a customer has an issue that may be Security related. Also, they often get in touch with customer data, which always needs special care.
Apart from these two groups, everyone in the company gets training on Secure authentication, communication and information. With this, every employee learns to recognize and prevent data breaches. If ever they spot something phishy, they know to report directly to the Security experts, so appropriate action can be taken.
Different ways to reach colleagues
TOPdesk is a very free and liberate company. Few things are forced. Rather, we try to inspire our colleagues when telling them about Security. In the end, this will have a much more lasting effect than doing a yearly compulsory training that everybody has to sit through.
Considering the fact that sending every Developer to a required training doesn’t work, we’ll need to be more creative to reach them. Note that the liberal culture doesn’t mean that developers are free to ignore Security! They may choose how they learn or apply it, but if negligence leads to delivery of insecure code, measures will still be taken.
We’re using different channels to reach colleagues, which also makes the whole awareness campaigns more fun. For some it works best if we write in-depth blog posts on our Techblog, for others we write shorter, easier to grasp posts on our intranet. Often we create posters that we hang on the walls in all our offices (e.g. like we did before with our customized OWASP TOP 10 poster). Every 8 weeks we have an international mini Developer conference, at which we often explain some Security topic. Before, we’ve also organized a public Security meetup. Most recently we created a special checklist that Developers can use during implementation and testing to make sure they thought about the most important pitfalls.
A vital part of our approach is our vision that Security is fun. It’s not scary or boring or whatever else people may think of it. We try to make it fun to learn, and fun to play with. To this end, we’ve organized hacking games and pub quizzes dedicated to Security, just to make sure every colleague knows this. The bar to start learning should be as low as possible.
With all these awareness campaigns, members of our Guild become more visible, which is an anticipated and very useful side effect. I can tell from the amount of questions I get asked about Security every day that this works well. Making Developers aware is the first and the most important goal for our guild. And even if they don’t know how to solve a vulnerability themselves, they will signal a problem and know whom to ask for help.
Awareness is important, but if few people know how to actually fix or prevent vulnerabilities, we are going to have a busy time. So, apart from raising the general basic knowledge level, we’re offering some more in-depth trainings as part of an Advanced Security Training program. In the program (which itself is still evolving), we’re discussing topics like XSS, HTTPS or Threat Modeling. The trainings are aimed at a much deeper understanding of the technical problems behind these topics and give Developers the tools and know-how to prevent them. Developers who follow these trainings are able to spread their knowledge further and help those colleagues whom we didn’t reach yet.
Often Security trainings for Developers are aimed at guidelines on how to prevent or fix vulnerabilities. We aim to give them a better understanding of the whole problem, so that they can verify for themselves whether they fixed the issue or not. Technology changes fast, so guidelines may get outdated quickly.
Giving more trainings also helps with getting more people interested in Security, which results in more members for our Guild, which in turn increases our capacity to help colleagues create more secure software. I love it when a plan comes together.
Next time we’ll talk about Secure Development, and how we help Developers apply what they learned.