The Security Industry Has Failed The Developer

An Open Letter to the Security Industry

Another breach was reported today, it’s all over the papers. “Website Defaced via Remote Code Execution”, “Customer Data Disclosed as a Result of SQL Injection”… “Damn developers, always producing shitty code. They’re all alike.”

But did you, in your world of risk and compliance, ever take a look behind the eyes of the developer? Did you ever wonder what makes us tick, what forces shaped us, what pressures may have driven us?

We are developers, enter our world…

Ours is a world that begins with a ticketing system… we could work on outside of the ticketing system and fix your security issues out of band, but that only leads to more problems. “Damn underachiever. They’re all alike.”

We are actively working on our projects, striving to meet the ever increasing velocity of Agile and DevOps methodologies. We are unable to halt our progress in effort to make sense of your report containing 10,000+ “vulnerabilities” that needed to be fixed yesterday, especially when we receive it 2 weeks after we completed the Sprint. “Untrained novice. They’re all alike.”

We’ve put in the effort to automate our entire build pipeline to achieve true CI/CD… ultimately allowing us to respond to business needs faster. Wait, you want us to integrate automated security testing into our build pipeline? The scan takes how many hours? You want to forcefully break our builds if it finds an issue? Even if, by your own admission, the tool produces tons of potential issues whose accuracy is barely better than a random guess? “Stubborn ingrate. They’re all alike.”

And then it happened… a door opened to a world… a realization of the truth… freedom from those psychological barriers, rushing through our finger tips like heroin through an addict’s veins, thousands of lines of code are written, destined to alleviate those consistently burdened by the doctrine of security best practices… a movement is born.

This is it. This is where we can make a difference. We are the creators. We are the innovators. With our work, we can change the security industry for the better… for our peers, our friends, our co-developers… for us. “Damn geek. Getting caught up in another distraction. They’re all alike…”

You bet your ass we’re all alike… we’ve been neglected and abused for the sake of compliance and risk. We’ve been dominated by sadists, or ignored by the apathetic. The few that understood have found us open and willing to discuss how it can be improved, but those few are like drops of water in the desert.

The security industry is our world now… the world of the developer, the beauty of accuracy and automation. We believe in the importance of protecting our users and their data. As such, we will build the security software and technologies as they should have been built all along – specifically for developers. They will be fast. They will be accurate. They will integrate with our stacks. They will help us – not hurt us. We’ve become quite adept at automation… and this too will be automated in time.

I am a security conscious developer, and this is my manifesto. You may stop this developer, but you cannot stop us all… after all, we’re all alike.

PS. Thank You, Mentor.