SAN FRANCISCO — You’ve heard the complaint a thousand times over: Security would be so much better if only the developers slowed down and wrote more ironclad code. Microsoft and other IT vendors have put a lot of effort into making that happen with things like the Security Development Lifecycle. There’s also BSIMM — the Building Security In Maturity Model — a set of best practices Cigital and Fortify developed by analyzing real-world data from nine leading software security initiatives and creating a framework based on common areas of success.But in the bigger picture, it almost seems like a losing battle some days. After all, companies and customers want new, better, faster apps with increasingly sophisticated features. In that atmosphere, a developer under pressure isn’t inclined to listen to the nagging security person in the room.Meanwhile, the folks who break software for a living aren’t necessarily the people who can fix it. So what are we to do?Brett Hardin, senior software engineer at Symantec, took a crack at answering the question at BSidesSF this morning.Hardin has been around the block. He’s worked as a pen tester, a product manager and, most recently, he’s taken on the role of “fixer” — trying to help bridge the gap between the developers and the breakers.He presented the following scenario:The builder (developer) mentality is to get it out there, make the features amazing and change the future. He made an example of Foursquare, which, he said, can care less about privacy because “the more you tell them, the more features they’ll give you.”Then there’s 37Signals. Hardin said their mentality is to get the product out as fast as possible, let the community find flaws, and they’ll fix them within two days. The breaker mentality, he said, is “Make it fail,love pwning, and say it’s all about secure development.” Out of this is the reality that breakers don’t know how to fix stuff. “They are like a wrecking ball,” he said.”A good wrecking ball man can’t build a building. Breakers oversimplify things by saying the hole they found is so easy to fix or that developers are stupid.” But code is very complicated. Fixing it is even more complicated, he said. In the end, perhaps it’s best to let the breakers break things, the builders build and focus on being the fixer, the one who bridges the gap, Hardin said.One thing is clear, he said: Dissing the developer will fail every time.The developer will always win the argument with a security person because the developer is doing what the top brass wants: Building new apps and building them fast.Firing developers and making examples of them won’t work for the same reasons.Not expecting them to understand security might be step one in moving things in the right direction, he suggests.Good food for thought. — Bill Brenner Related content news Gwinnett Medical Center investigating possible data breach After being contacted by Salted Hash, Gwinnett Medical Center has confirmed they're investigating a security incident By Steve Ragan Oct 02, 2018 6 mins Regulation Data Breach Hacking news Facebook: 30 million accounts impacted by security flaw (updated) In a blog post, Facebook’s VP of product management Guy Rosen said the attackers exploited a flaw in the website's 'View As' function By Steve Ragan Sep 28, 2018 4 mins Data Breach Security news Scammers pose as CNN's Wolf Blitzer, target security professionals Did they really think this would work? By Steve Ragan Sep 04, 2018 2 mins Phishing Social Engineering Security news Congress pushes MITRE to fix CVE program, suggests regular reviews and stable funding After a year of investigation into the Common Vulnerabilities and Exposures (CVE) program, the Energy and Commerce Committee has some suggestions as to how it can be improved By Steve Ragan Aug 27, 2018 3 mins Vulnerabilities Security Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe