Have a meeting to communicate the problem and risks to developers

Question

Have a meeting to communicate the problem and risks to developers

Opened this issue a year ago · 0 comments

Just bring it up. If you have a regular meeting with your developers - great use that. If you don't, maybe there's another regular meeting where you can get 10 minutes to discuss security topics. The point of this issue is to make everyone aware that you're working on something that will likely result in a change that will affect them.¹ So explain the thing, explain why and how it poses risks to your organization, and promise to keep everyone updated (and then actually do #4 ).

So, if I were trying to communicate why we need a security scanning tool, I'd talk about how we currently don't know how secure our source code is, how that puts us at risk from vulnerabilities in our own source code, but also known vulnerabilities in external dependencies and how easy it is to find secrets (often in an automated way) in repositories. And how you can't improve, what you don't measure.

These initial meetings are also an excellent way to find people who are already aware of the problem, and I promise you they exist. Those people can be really great allies and/or partners. Have them give you feedback early and often, let them point out favourable and unfavourable management, have them tell you about their pain points and use those in #10. ↩

Footnotes