NowSecure believes that the best place to start thinking about security is at the start of a mobile app project. Teaching developers to integrate security into their thinking as early as possible when designing and developing Android and iOS apps is crucial to solving the mobile app security problem. The Security by Design community is a place for security experts, developers, architects, and DevOps engineers across all platforms to meet, share good security resources for developers and work on making security an integral part of any mobile, cloud or Internet of Things (IoT) effort. The Security by Design mission so closely resembles the NowSecure mission that sponsoring the group was a no-brainer.
Security by Design hosts monthly Meetups, recently launched a weekly podcast, and coming up on Friday, Oct. 28, will host the inaugural Security by Design Conference in Washington, DC. NowSecure Research Lead David Weinstein spoke about trends in Android and iOS security at a Security by Design Meetup in August, and CEO Andrew Hoog was the featured guest on episode three of the podcast (listen now via iTunes or Google Play). Andrew will also present “Fundamentals of Android and iOS app security” at 11 a.m., Friday, Oct. 28 as part of the Security by Design 2016 Conference of which NowSecure is a proud sponsor.
With so many high quality events and good security resources for developers, security analysts, and engineers, we wanted to introduce the Security by Design community to the NowSecure audience. We talked to the group’s founder, Pete Erickson, about what inspired the creation of the group, its objectives, and future plans for Security by Design.
Can you tell us Security by Design’s origin story?
Pete Erickson (PE): I was at a lunch with members of the Capital One Information Security and Risk Management team last year, and we were talking about how much the security landscape is changing. As someone who curates communities, I saw an unmet need in the market to build a security community for every developer, DevOps engineer, and architect – a community that is approachable and a safe place to ask questions and set off on a journey toward good code hygiene. Capital One got behind the idea, and at that lunch they used the words “security by design.” I grabbed onto the phrase and used it as the name of the new community.
What are some of the main challenges in making security an integral part of any mobile, cloud or internet-of-things development?
PE: I think the biggest challenge for most developers is access to information about what they need to be thinking about. Apple and Google do a pretty good job of helping developers manage good security practices, but there are a lot of areas where developers need more support. At the end of the day, it’s up to the developer themselves to ensure the security of their applications and user data. There are holes, and there will be more holes in the future. Being aware of those holes and knowing how to deal with them is paramount.
How does Security by Design help the community overcome those challenges?
PE: We’re driving community and information-sharing across three different activities – we have a monthly Security by Design Meetup group – currently in the Northern Virginia area. We also produce a podcast that recently launched, and we have recorded our first six episodes. And then our annual Security by Design Conference kicks off on Oct. 28. The goal of all these community-driving activities is to get the best information into the hands of developers. We’ve had several people come up to us at our Meetups to tell us how much they are enjoying the information sharing. We’re fairly new, but people are telling us we’re right on target.
How would you say Security by Design is different from or augments OWASP and other similar groups’ efforts?
PE: Those are awesome groups that are targeted to security professionals. We’re targeting non-security professionals that now have a requirement, stemming from market realities, to become well-versed in security technologies they can use in developing and managing applications and data. We’re focusing the conversation on shifting to the left.
What do community members say about why they’re glad they’ve attended a Security by Design event?
PE: Most of the feedback we get centers on the fact that we’re approachable and provide a great space to get started with security and integrating it into the design and development process.
What has been one of your favorite Meetups so far and why?
PE: The panel we did last month on iOS vs. Android security was excellent. We had a developer who didn’t consider himself to be an expert on security make great contributions to the discussion because he spoke authentically from a developer’s standpoint. I think it really helped connect the dots for many members of our audience. In just our third month, we had more than 50 people on hand for that one.
Who should go to the Security by Design Conference on Oct. 28 in Washington, DC and why?
PE: Developers, DevOps engineers, architects and product owners – we’ve created a full day of both hands-on and thought-leadership programming. With just a one-day investment at an affordable rate, we can take someone from where they are today on security and advance their understanding significantly about where they stand today in terms of security and where they should be going. It’s also on a Friday for a reason – finish up the week connecting with a few hundred of your colleagues and getting some great info to boot.
What does the future have in store for Security by Design?
PE: I can see us organizing multiple Meetup chapters around the country, and possibly the world, and then continuing to put on a fun annual conference for the community to look forward to. The podcast is also on a path to grow in popularity as the need for all developers to embrace security gets more and more traction.
What else do you think is important to tell people about Security by Design and/or upcoming events?
PE: We have an awesome group of supporters helping to make this happen including leading companies like Capital One, SonaType, NowSecure, and Mach37. Without that kind of support there may not be a community, and we’re thrilled to have such thought leaders in our camp.
Thanks to Pete for taking the time to explain more about Security by Design.