Nathan Brown posted a great example of proactive developers holding themselves accountable for the security of their code and quickly implementing a thoughtful well-designed fix.
Everyone knows that large, centralized process-oriented "enforcement" Information Security (InfoSec) organizations produce a culture and environment where developers perceive security as friction or an obstacle to delivering value to customers. Developers then hack in bad design hacks to satisfy the security scan and ship sooner. A suicidally destructive culture evolves where a "cat and mouse" game of compliance police versus sloppy developers destroys trust and achieves neither secure design nor enough value delivery velocity for the enterprise to remain competitive. This anti-patterns is part of what I call the "Bureaucracy-led un-imagination" that one new CEO has called "past failures" in need of a "tech led reimagination."
No comments:
Post a Comment