With the recent WannaCry ransomeware attack on sites around the world, you might wonder whether your Developer Community site is secure. You might also consider helping your developer program members ensure that they are using security best practices as well.
Cyber security has become one of the hottest issues today, but Evans Data’s just released Global Development Survey shows that only 31% of software developers say their company has an overall formal security policy that is uniformly adhered to throughout the organization. More companies, 34%, have an informal policy that is adopted by various departments throughout the company, while another quarter either have no particular policy or one that is piecemeal and defined by the various departments themselves.
In last November’s DevRelate blog post, “Security Chops for your Developer Relations Program and Team Members“, I encouraged all developer relations team members, whether they are part of a security based company or not, to be able to speak to the security aspects of software development. DevRel advocates should also be able to assure their members that the developer community site and APIs developers use are safe from security problems.
Less Than a Third of Companies Have an Overall Cyber Security Policy
Evans Data’s recent press release, “Less Than a Third of Companies Have an Overall Cyber Security Policy“, reports that developers within the APAC region are the most likely to cite an overall formal cyber security strategy, according to the global survey of over 1500 developers in conducted in six languages over four major geographical regions. In North America and the EMEA region companies are more likely to have an informal policy that does not extend across the whole enterprise. EMEA is also the region where more companies with no particular policy at all are found.
In addition, only 26% of developers worldwide say they are developing their apps to run on secure and trusted systems. However an additional 19% expect to be doing this within the next 6 months.
“Recent events have highlighted the need for enhanced cyber security,” said Janel Garvin, CEO of Evans Data, “but security has been a top issue for software developers for quite some time and across many disciplines. We have consistently seen the developers themselves citing security as a chief concern so there is frustration that their companies aren’t taking an overall approach.”
Evans Data Global Development Survey
The Global Development Survey is conducted twice a year with broad topic focus on issues such as Platforms, Languages, Development Lifecycle and Tools, Blockchain development, Artificial Intelligence and Big data, Mobility, Cloud, High Performance Computing, Databases, Security, Game Development and more.
See the complete Table of Contents and Methodology here: Table of Contents
Practice Secure Computing and Help your Developers Members Do the Same
Do your developer relations team members have security chops? Do your advocates keep track of the state of the art in secure computing? Does your developer relations site have the right security features? Do you help your developer community members practice secure computing? If your answers to some of these questions are no or I’m not sure, now is the time to increase your security chops!
David Intersimone “David I”
Vice President of Developer Communities
Evans Data Corporation
We read, almost daily, about sites being hacked, intellectual property being stolen and other security exploits. Company’s executive teams now include Chief Security Officers (CSOs). Developers inside companies focus ensuring the security of the systems they build. Companies with developer relations programs also have to make sure the APIs and services practice secure computing. Developer evangelists, whether they are part of a security based company or not, have to be able to speak to the security aspects of software development. Do your developer relations team members have security chops? Do your evangelists keep track of the state of the art in secure computing? Does your developer relations site have the right security features? If your developer program is located in a public cloud, does your provider give you the security you need? Is your community site still using HTTP instead of HTTPS? These are good and timely questions to ask of your company, your developer relations program and your evangelism team members.
Evans Data Global Development Survey and Security
In a recent press release, “North American Developers Are the Only Ones Worrying About Cyber Warfare“, Evans Data reported on recent global developer survey results related to security, cyber crime and cyber warfare. The survey, conducted in six languages across four continents showed that developers in both the emerging Latin American and Asia-Pacific regions view the largest threat as “Intellectual Property Thieves and Corporate Spies”, while those in the EMEA region cited “Cyber crime syndicates” as the threat we should be most concerned with. Only in North America was “Cyber Warfare from Nation States” cited by a significant number of developers. This concern was number one in North America. You can read about additional findings in the Evans Data press release.
Security and Developer Relations
I keep up to date on what is happening with software and security by reading the security news, reading a few security blogs and following some of the sites focused on secure computing. You should encourage your developer evangelists to spend some of their time keeping up to date as well. Here is a good starting list of top security related sites with articles, blogs and links.
- Krebs on Security – Brian Krebs, a former Washington Post reporter, is a prolific blogger and security industry luminary who writes about security news and investigations. On his About the Author page he writes “Much of my knowledge about computers and Internet security comes from having cultivated regular and direct access to some of the smartest and most clueful geeks on the planet. The rest I think probably comes from a willingness to take risks, make mistakes, and learn from them.”
- Schneier on Security – “Bruce Schneier is an internationally renowned security technologist, called a “security guru” by The Economist. He has testified before Congress, is a frequent guest on television and radio, has served on several government committees, and is regularly quoted in the press.”
- Information Week’s Dark Reading – “Long one of the most widely-read cyber security news sites on the Web, Dark Reading is now the most trusted online community for security professionals like you. Our community members include thought-leading security researchers, CISOs, and technology specialists, along with thousands of other security professionals.”
- Kaspersky Labs’ Threadpost – “Threatpost, The Kaspersky Lab security news service, is an independent news site which is a leading source of information about IT and business security for hundreds of thousands of professionals worldwide.”
- Wired’s Threat Level – “Wired talks privacy, crime, and security online, delving into clever hacks and workarounds and reporting on the latest security news impacting consumers and professionals in the field.”
- US-Cert (US Department of Homeland Security) – “US-CERT strives for a safer, stronger Internet for all Americans by responding to major incidents, analyzing threats, and exchanging critical cybersecurity information with trusted partners around the world.”
- Norse Corp Live Attacks – World map with live attacks showing attack origins, types and targets. “Norse is dedicated to delivering live, accurate and unique attack intelligence that helps our customers block attacks, uncover hidden breaches and track threats emerging around the globe.”
- FireEye Cyber Thread Map – cool animated global map showing a live subset of real attack data. “FireEye protects both large and small organizations committed to stopping advanced cyber threats, data breaches and zero-day attacks. Organizations across various industries trust FireEye to secure their critical infrastructure and valuable assets, protect intellectual property and avoid bad press, costly fixes and downtime.” FireEye’s current threats and blog posts.
The platform and device vendors also provide articles and information for developers. Here are a few articles and sites:
Cyber Warfare Sites and Information
- RAND Corporation Cyber Warfare – Cyber Warfare research and insights – “RAND research provides recommendations to military and civilian decision makers on methods of defending against the damaging effects of cyber warfare on a nation’s digital infrastructure.”
- Financial Times Cyber Warfare news – reports and articles about cyber warfare, hacks and more.
Security Scanning for your Developer Relations Site
There are many tools you can use to check the security of your developer relations sites. Check out the following services.
Qualsys SSL Labs – SSL Server Test – “SSL Labs is one of most used tools to scan SSL web server. It provides deep analysis of your https URL including expiry day, overall rating, Cipher, SSL/TLS version, Handshake simulation, Protocol details, BEAST and much more.”
WordPress Security Scan by HackerTarget.com – online security test for WordPress sites. DevRelate, the community for Developer Relations Professionals uses WordPress. I suspect that other developer relations programs also use WordPress.
Developer Relations Programs and Security – tell me your story
I am always looking for stories about security and how developer relations programs and evangelists help their members. If you run a developer relations program for a security company send me an email. If your developer evangelists focus on secure computing I’d love to hear about their work.
VP, Developer Communities
Evans Data Corporation