We read, almost daily, about sites being hacked, intellectual property being stolen and other security exploits. Company’s executive teams now include Chief Security Officers (CSOs). Developers inside companies focus ensuring the security of the systems they build. Companies with developer relations programs also have to make sure the APIs and services practice secure computing. Developer evangelists, whether they are part of a security based company or not, have to be able to speak to the security aspects of software development. Do your developer relations team members have security chops? Do your evangelists keep track of the state of the art in secure computing? Does your developer relations site have the right security features? If your developer program is located in a public cloud, does your provider give you the security you need? Is your community site still using HTTP instead of HTTPS? These are good and timely questions to ask of your company, your developer relations program and your evangelism team members.
Evans Data Global Development Survey and Security
In a recent press release, “North American Developers Are the Only Ones Worrying About Cyber Warfare“, Evans Data reported on recent global developer survey results related to security, cyber crime and cyber warfare. The survey, conducted in six languages across four continents showed that developers in both the emerging Latin American and Asia-Pacific regions view the largest threat as “Intellectual Property Thieves and Corporate Spies”, while those in the EMEA region cited “Cyber crime syndicates” as the threat we should be most concerned with. Only in North America was “Cyber Warfare from Nation States” cited by a significant number of developers. This concern was number one in North America. You can read about additional findings in the Evans Data press release.
Security and Developer Relations
I keep up to date on what is happening with software and security by reading the security news, reading a few security blogs and following some of the sites focused on secure computing. You should encourage your developer evangelists to spend some of their time keeping up to date as well. Here is a good starting list of top security related sites with articles, blogs and links.
- Krebs on Security – Brian Krebs, a former Washington Post reporter, is a prolific blogger and security industry luminary who writes about security news and investigations. On his About the Author page he writes “Much of my knowledge about computers and Internet security comes from having cultivated regular and direct access to some of the smartest and most clueful geeks on the planet. The rest I think probably comes from a willingness to take risks, make mistakes, and learn from them.”
- Schneier on Security – “Bruce Schneier is an internationally renowned security technologist, called a “security guru” by The Economist. He has testified before Congress, is a frequent guest on television and radio, has served on several government committees, and is regularly quoted in the press.”
- Information Week’s Dark Reading – “Long one of the most widely-read cyber security news sites on the Web, Dark Reading is now the most trusted online community for security professionals like you. Our community members include thought-leading security researchers, CISOs, and technology specialists, along with thousands of other security professionals.”
- Kaspersky Labs’ Threadpost – “Threatpost, The Kaspersky Lab security news service, is an independent news site which is a leading source of information about IT and business security for hundreds of thousands of professionals worldwide.”
- Wired’s Threat Level – “Wired talks privacy, crime, and security online, delving into clever hacks and workarounds and reporting on the latest security news impacting consumers and professionals in the field.”
- US-Cert (US Department of Homeland Security) – “US-CERT strives for a safer, stronger Internet for all Americans by responding to major incidents, analyzing threats, and exchanging critical cybersecurity information with trusted partners around the world.”
- Norse Corp Live Attacks – World map with live attacks showing attack origins, types and targets. “Norse is dedicated to delivering live, accurate and unique attack intelligence that helps our customers block attacks, uncover hidden breaches and track threats emerging around the globe.”
- FireEye Cyber Thread Map – cool animated global map showing a live subset of real attack data. “FireEye protects both large and small organizations committed to stopping advanced cyber threats, data breaches and zero-day attacks. Organizations across various industries trust FireEye to secure their critical infrastructure and valuable assets, protect intellectual property and avoid bad press, costly fixes and downtime.” FireEye’s current threats and blog posts.
The platform and device vendors also provide articles and information for developers. Here are a few articles and sites:
- Google – Secure your site with HTTPS and last year announced that search is prioritizing secure HTTPS URLs over regular HTTP ones. A recent blog post covers “Understand security issues” for Chrome DevTools. With the Android operating system and the ability to side load APK files, Google provides developer with security tips and best practices. The Google Online Security site is also a good source of information.
- Apple iOS Security Guide (PDF) – “Apple designed the iOS platform with security at its core. When we set out to create the best possible mobile platform, we drew from decades of experience to build an entirely new architecture.”
- Microsoft’s Internet Safety and Security – Microsoft’s site for safety, privacy and security. The site includes links to security resources and information for individuals, families and companies.
Cyber Warfare Sites and Information
- RAND Corporation Cyber Warfare – Cyber Warfare research and insights – “RAND research provides recommendations to military and civilian decision makers on methods of defending against the damaging effects of cyber warfare on a nation’s digital infrastructure.”
- Financial Times Cyber Warfare news – reports and articles about cyber warfare, hacks and more.
Security Scanning for your Developer Relations Site
There are many tools you can use to check the security of your developer relations sites. Check out the following services.
Qualsys SSL Labs – SSL Server Test – “SSL Labs is one of most used tools to scan SSL web server. It provides deep analysis of your https URL including expiry day, overall rating, Cipher, SSL/TLS version, Handshake simulation, Protocol details, BEAST and much more.”
WordPress Security Scan by HackerTarget.com – online security test for WordPress sites. DevRelate, the community for Developer Relations Professionals uses WordPress. I suspect that other developer relations programs also use WordPress.
Developer Relations Programs and Security – tell me your story
I am always looking for stories about security and how developer relations programs and evangelists help their members. If you run a developer relations program for a security company send me an email. If your developer evangelists focus on secure computing I’d love to hear about their work.
VP, Developer Communities
Evans Data Corporation