
Ask HN: How to change security culture? - throw-uudbdbck
My software developer colleagues have what I consider to be &quot;dangerously wrong&quot; attitudes about software security. I&#x27;m at a loss for how to persuade them to improve. I&#x27;ve tried to provide clear, friendly, not-pointing-fingers feedback, but I&#x27;m moetly met with smiles and nods and then the code moves into production with the security flaws intact. I see no signs that management cares.<p>Is there a technique that you&#x27;ve used successfully to change developer (or management) attitudes?<p>We&#x27;re in the U.S. Primary and Secondary education markets, so there are rules and regulations, and we do store Personally Identifyable Information (PII) for young children, mostly in the form of performance measures.
======
Eridrus
The most common reasons for resistance are: you have insider knowledge that
makes it easier to find/exploit bugs and that we're not a big enough target
for people to explicitly hack us.

And they're not necessarily wrong either.

Despite the paranoia about children's information, it's not actually worth
very much, so why bother to steal it?

If you do anything that has grades, you may find that students are motivated
to hack you, but otherwise there are probably not a whole lot of people who
will target you.

If the issues are so brazen that automated tools like sqlmap will hack you,
then that's probably a good thing to show.

Even if you manage to convince people that security is truly lacking, security
needs to be painless rather than something everyone buys into and is
constantly vigilant about, so try to advocate for solutions that can handle
security for you automatically, eg libraries, etc.

But for most orgs, you're really not likely to get hacked through your webapp
(unless it is truly atrocious), but rather someone in your org accidentally
installing ransomware and encrypting your shared files.

------
savethefuture
Provide a POC of an exploitation of the security flaw, nothing will change
someones mind faster than letting them experience something themselves.

------
kairoer
Hi, there are two different target audiences you point to: your SW dev
colleagues, and the management. These are two very different groups of people,
with different roles, tasks and perspectives. Adjusting your communication to
their needs is a key to your success. Here are a few suggestions on how to
influence your colleagues to be better aligned with the security needs you
see: SW Devs: \- introduce hacking days, with CTF's and similar competitions.
The purpose is to show how easy it is to hack the code. As competence and
interest grows, focus the scope on particular areas you would like to
secure/have identified as higher risk. \- invite a "real" hacker to share her
experiences with you and showcasing some of the possibilities \- do a pentest
to demonstrate the level of security. If no budget, do it yourself. \- access
the system access logs, and show who is accessing the system. Also show who is
trying to gain access. \- If using a WAF, show logs of the SQL injection
attempts and and other nasties going on. \- get a pineapple or use Metasploit
and similar tools to show how easy it is to infiltrate, sniff and collect
data. Lots of people do not get this... \- Find one colleague who see the
point (i.e. find someone to support you and help you convince the others). In
social psychology, one is nothing, two is a crowd! \- If you have budgets,
bring a colleague or two to events like Defcon/Black Hat, BSides events or
local hacker / security workshops/meetups. Use this to build interest. \-
Apply SDL (Software Development Lifecycle) and SCF (Security Culture
Framework).

For management: \- identify and document the risk (as they see it, not from a
technical perspective) - i.e. what business risks exists, how will / can / may
they impact the business. \- make a case for improved security / secure
coding: business value of providing secure products (reducing risk for
customers, improved compliance etc etc) \- start simple, with one area/topic
\- invite the managers to join the hacker talk (above), or better, have the
hacker person do a 10-15 minute sitdown with management.

These are just a few suggestions known to work at other companies worldwide.
Most can be done with no/low budget, and then they can be scaled up over time
as budgets allow for it.

The arguments that hackers don't find you a relevant/interesting target as
comments suggests, is BS. There are so many different hackers out there, and
their focus and areas of interest differs by the hour. Do a serious risk and
threat assessment, then make your decisions based on that. Keep it up to date,
as the landscape changes often.

Check out the free Security Culture Framework:
[https://securitycultureframework.net](https://securitycultureframework.net)
which is quickly becoming a de-facto standard for building and maintaining
security culture.

If you are interested in more on this topic, consider downloading the Security
Culture Report 2017: [https://get.clt.re/report](https://get.clt.re/report) \-
it provides some interesting findings on what influences security culture, how
age and gender impacts, and proposes a standard method to measuring culture.

~~~
throw-uudbdbck
Wow! A lot of helpful info here. Thanks!

