Any teacher knows that its way more valuable to catch someone doing something right and reinforce good behavior than to nag about mistakes. Why then does infosec take the latter path and often try to blindside developers, project teams and wave the list of vulnerabilities like a bloody shirt parading through the streets?
Kent Beck has a great quote - "I used to think of programs as things, now I think of them as shadows of the communities that build them." What does the shadow of your organization look like? Two silos miles apart occassionally exchanging cannon fire?
Wouldn't we be better off trying to catch developers doing the right thing? Wouldn't it be better to instill a safety first culture?
WSJ on UPS' safety culture:
Chadd Bunker says his friends and relatives tell him he drives like an old man. Roll through a stop sign? He would never do that. Exceed the speed limit? Not on your life. He makes three right turns to avoid a left. He can be annoying.
But Mr. Bunker, who is only 48 years old, is no ordinary driver. He recently became one of the proud, lucky few to reach the delivery driver equivalent of Eagle Scout—the United Parcel Service Inc. UPS's Circle of Honor.
The award goes to those who manage to drive their big brown trucks without having an "avoidable" accident, for years and years. That isn't easy since UPS considers nearly every kind of accident avoidable. A scratch on the truck while backing up, or a tree branch hitting the vehicle and breaking a mirror, they both count as accidents that might have been avoided.
Drivers who make it through 25 years are honored with a little ceremony, a patch on their sleeve documenting the number of accident-free years and the ultimate king-of-the-road status symbol: a bomber jacket.
UPS is driven by its safety culture. New drivers at the 107-year-old company are required to attend intensive, weeklong training courses, informally dubbed "Quaker boot camps" that emphasize ethics and safety.
It isn't the only company to toot its horn for safe drivers. PepsiCo Inc.'s Frito-Lay honors its million-mile safe drivers at an annual awards gala at its headquarters in Plano, Texas. The achievement typically takes 12 years. Con-way Inc., in Ann Arbor, Mich., bestows a class ring on its two-million-milers, who also get an embroidered jacket and business cards. Waste Pro USA Inc., in Longwood, Fla., awards its garbage truck drivers $10,000 for three years of spotless work. Spotless has three components: a positive attitude, good attendance and no accidents. UPS-rival FedEx Corp. gives awards too, recognizing employees after each year of safe driving.
For UPS drivers, the road to glory is very hard. UPS drivers must memorize the company's more than 600 mandatory "methods." These include checking the mirrors every five to eight seconds, leaving precisely one full car length in front when stopping and honking the horn just so: two short friendly taps, no blasting.
There are all sorts of potential hazards. In Ketchikan, Alaska, for instance, Tom Fowler, 53, dodges black bears and deer on a regular basis. In the snow and ice, he parks, then pulls a sled of packages a quarter mile up narrow roads on steep, slick hillsides to avoid the possibility of a vehicle accident. He became the first Alaskan driver to make the circle of honor in January.
"When you're out delivering, it's not unusual to see bears, black bears. People do hit 'em," Mr. Fowler said. It's "a big crash if you hit a bear."
About 1,500 were inducted into the circle in 2013, and a mere 7% of the 102,000 UPS drivers on the road are members.
Drivers agree the most impressive record belongs to Ronnie McKnight, who has driven safely for 46 years in New York City, dodging aggressive taxi drivers and parking precariously on a daily basis. Mr. McKnight, 71, learned to drive slowly on a tractor at age 11. Now, he says, his secret is "patience. Don't be in any rush to do anything."
There is a lot that infosec can do here. For a start, catch developers doing the right thing. That's 180 degrees different from how infosec teams traditionaly function. With the limited success of infosec, its time for a fresh approach. In our IEEE Security & Privacy Journal paper, 10 Quick, Dirty and Cheap Things You Can Do to Improve Enterprise Security", James McGovern and I called this- find diamonds in your back yard:
This might shock some battle-weary, jaded enterprise security people, but good things are probably happening right now in your organization with regard to security. Even amid the myriad challenges enterprises face in developing more secure software, some existing developer behavior will likely meet or exceed security requirements, whether it deals with input validation classes, instance level authorization, audit logging, or secure exception-handling classes. Your job is to find working examples that are proven in your enterprise and “bless them” as good examples of security standards, patterns, and practices.
With the only cost being your time, you can help get wider adoption of secure software that’s proven to work in your enterprise while building goodwill with developers by recognizing good work, not just finding faults. This approach has the convenient byproduct that for the existing good practices, you don’t spend your precious time and political capital lecturing birds on flying.
There's a lot more to say here, but I will close it with one thought: Instead of hording the security budget to spend on gee whiz foo fa ra products sold on the RSA trade show floor, buy pizza for the dev team with the best record each month. You'll fix more broken stuff and more importantly you'll begin to build a real safety culture.