At first glance developing secure software may only involve developers and the security team, but this view is too short. If you want to understand why the Application Security Ownership Model is built on six roles, here’s where you find the background story. You can use it as a compass to validate if this approach is for you.

Why control doesn’t work

The old way to do security was based on control. Someone decided who can be trusted, what behavior is acceptable and what needs to be blocked entirely. This approach has one big problem: it works on paper, but is often far from reality. It can actually harm your company’s core business if software developers are no longer able to develop software. At least not efficiently.

What actually works

Trust works. Freedom works. Collaboration works.

Don’t treat your software developers as one of the biggest threats to a secure product. In fact, they can be your biggest asset. Most developers aren’t trying to build insecure products. They are not the ultimate evil you need to protect against. Often, they just miss security knowledge, are pushed by deadlines and kept on a short leash to not think for themselves. Often security is just getting in their way instead of actually enabling them to build a secure product. That’s what we need to fix.

Who is involved in developing secure software?

The developer is building the product. The product is what brings your company money and pays for your paycheck. So I think we can agree that the main character in software development is the software developer. Without someone actually writing code, there will be no product to secure. They drive the software development lifecycle (SDLC). Within the AppSec Ownership Model, I call them the Executor.

Of course, you as the AppSec Lead want them to build secure software, thus turning their SDLC into a secure SDLC. You are the Owner. You educate them. You trust them. You help them to change their behavior. You provide them with everything they need to do their duty.

But there is one person who gets in your way. The project leader is responsible for managing time and resources. They are the Gatekeeper. It’s their job to ensure their team’s time is spent well, so you need to convince them or they will just not let you interfere with their team. They are a valuable asset to you, too. They can help you build security that serves their team, as they will tell you to your face when you expect bullshit tasks from them or their team.

You may find Gatekeepers who are open to work with you, but some may be harder to convince or just refuse to collaborate at all. To get them in line, you need a strong Backbone. Without support from the executive leadership, you will fail.

That’s the bare minimum. Four roles.

How to change behavior

The fifth role is the Advocate. When you start your AppSec initiative, you won’t have a structured security champions program, but you will for sure have some secret champions already advocating for security. It doesn’t matter if they have an official mandate yet or if they just do what they do. You need them.

Developing a strong security culture is what makes your AppSec program sustainable, but it’s hard to achieve. It’s a long journey, but it starts with one intentional step. Changing culture means changing behavior. And your security champions already are role models in what good secure behavior may look like. By building a strong security champions program, you already are on the path to that strong security culture. You just need to keep going and trust the process.

How to speed things up

No, I’m sorry. I don’t have the secret hack to speed up your culture development. But you can speed up your own learning curve as the Owner and reduce your trial-and-error cycles, which will get you moving faster.

We are talking about external expertise. Whenever you hire a coach or consultant, you leverage their experience to learn faster and avoid mistakes they already made. While this can be a big opportunity, it can also be a trap. If you externalize accountability you make yourself dependent on them. That’s why we cover the Catalyst role as the sixth role within the AppSec Ownership Model. The role is optional, but if you choose to use it, you need to know how to avoid the trap and stay independent.

How to get started

We covered all six roles involved in developing secure software. If my point of view resonates with you, feel free to explore the AppSec Ownership Model and use it to clarify accountability within your AppSec program. Accountability is the foundation that everything else is built on.

This model is grounded in my personal experience and I’m more than happy to discuss it with other practitioners who are committed to building security for the real world, not just on paper.