How To Communicate Standards To New Developers
The Biggest Challenges And Best Practices For Communicating Technical Standards
At some point, nearly every enterprise will have to review strategies for communicating standards to new developers. A standard is a formal document with specifications, requirements, and protocols to ensure uniform technical procedures.
Within the International Organization for Standardization (ISO), the ISO/IEC Joint Technical Committee 1 (JTC 1) is the environment where global standards are developed. Over the past 30 years, the JTC1 has developed several successful international standards, such as the creation of MPEGs, IC cards, and enhanced programming languages. Standards set by JTC1 are initiated as a response to a need in the market, and it is based on global expert opinion. As of 2018, 161 member nations participate in the international process, and companies can participate in the national process.
A technical standard can also be developed by enterprises for internal purposes. This often requires a strong process for communicating standards with new technology team members. When an airline recently created a new strategy for this process, Enterprise Mobility Exchange learned that it posted details to an enterprise data store that was shared with all new technology hires.
“The biggest challenge is keeping the documents updated, so it required a commitment from leadership to prioritize this work with project and support work,” a representative from the airline said.
The Biggest Challenges For Working With New Developers
Rizwan Jan, CISO for the Henry M. Jackson Foundation for the Advancement of Military Medicine, contends that reducing the standard 12/18/24-month development cycles into just a few weeks puts a lot of pressure on new developers.
“This severely impacts the security team to conduct their due diligence,” Jan said. “If an organization’s security tools are DevOps friendly, tools should be automated and baked into the secure development life-cycle, increasing the speed of deployment in parallel, and providing enhanced application security.”
Complicating this process is the tension that exists between security teams and developers. Both sides have different goals to accomplish. Developers want to quickly deploy software. Security teams conduct testing that often results in having developers fix any newly-discovered vulnerabilities. If both sides are unable to resolve this conflict, the tension will continue.
Security teams should also develop new skills to secure apps in a DevOps environment. The enhanced ability to write code and scripts can help security teams in this process.
What Role Does Compliance Play In This Process?
Compliance is often overlooked as new developers learn the standards. Enterprises might enforce compliance through code reviews, the automated testing of code, and the automated code review during the deployment process.
It is best for organizations to consider compliance while determining a communication process for technical standards with new developers. In nearly every industry, there are auditors, laws, and regulations that impact enterprises. Failure to meet compliance could result in security risks that impact DevOps and security teams.
“Potential data leakage, poor security controls, and/or negligence will drive regulatory fines, potential loss of license, or regulatory approval to do business,” Jan said. “In addition, remaining in compliance with industry standards reinforces your company brand to the customer and sets you apart from your competition (ethical business).”
Best Practices For Communicating Standards
When a new developer joins the company, it is vital that mandatory training begin on the first day. This includes security training that must be embedded with DevOps. After the onboarding process is complete, the new team member must stay informed about security concepts and the latest trends in security. An enterprise should ensure that technological standards are accessible for developers to review, and those standards should be secure from hackers.
Jan recommends that new developers understand the following security concepts in order to adjust to the standards:
1. Secure Design: A developer should know how attack surface reduction works, what defense in depth entails, and a principle of least privilege.
2. Threat Modeling: Enterprises should provide developers with an overview of threat modeling, design implications of a threat model, and coding constraints based on a particular threat model.
3. Secure Coding: Concepts such as buffer overflows, cross-site scripting, SQL injection, and weak cryptography should be emphasized in the communication process.
4. Secure Testing: Does the developer know the differences between security testing and functional testing? The developer should master the company’s risk assessment and security testing methods.