Who is responsible for security?

Everyone? I’m not so sure…

Imagine the early 2000s… Britney Spears is playing on the radio, the waterfall model is de rigueur, pentesting is not a career choice, OWASP was in its nascent stages.

This is the era when threat modeling became popular and brought with it a sense of security - a way in which software engineers could gain some level of control over security by putting in the work to understand the threats to their product, before touching the code. Appsec was a mystical art known by few, and they could not do all of it themselves; they needed the software engineers to step up and learn security.

Fast forward to now, we have a USD $200 billion cyber security industry with millions of people involved in hundreds of niches. Every tech company over about 50 staff has as least 1 security hire, and large companies have an army of SOC analysts, appsec, GRC, perhaps even an offsec function.

The long-standing dogma is that everyone is responsible for security. In appsec, that means security champions should bear the weight of ensuring their engineering team builds secure software. In the past, I can understand the need for everyone to add security to their skill set. But now?

All crafts, trades and arts have profited from the division of labour; for when each worker sticks to one particular kind of work that needs to be handled differently from all the others, he can do it better and more easily than when one person does everything. Where work is not thus differentiated and divided, where everyone is a jack-of-all-trades, the crafts remain at an utterly primitive level.

-Immanuel Kant

Security champions are usually software engineers wearing a security hat. They might have done a half day course or online training on OWASP top 10, if they’re lucky. Often it’s just an arbitrary software engineer selected by their manager. Although software engineers and TPMs could no doubt learn all the ins and outs of cyber security, why should they be burdened with it?

We have a huge number of specialist security people who could do attack modeling more efficiently. Appsec folks will understand potential attack vectors as well as the business context of the application and how it fits in to the big picture. Automation and DevSecOps has gone some way to allieviating this issue but there are still a few manual steps holding out.

Software engineers at startups and small companies obviously have to do double or triple duty. But large companies? They should understand that by loading up software engineers with security work like attack modeling, they are introducing inefficiencies, and would be better off hiring more security people.