Root-Causing Culture Impact on the Secure-by-Design Transformation


We built a dashboard that aggregates feeds from various security-specific tools in our DevSecOps Tool Chain. The result was an eye opener on the effect of organizational culture and individual behavior on the application security posture. The Developer Dashboard collects data from tools such static code analysis, dynamic app-scan, open source scan, JIRA, source code repository/version control, LMS (training), LDAP, and others. The data is visualized to help identifying root cause for repeated introduction of vulnerable code or poor quality code as related to effort that includes the adoption of secure coding practices, management endorsement of the secure-by-design mentality, availability or lack of proper training, legacy apps with dead or obsolete code, or applications with no active development or support. The capabilities of the dashboard provide a view all the way from the individual contributor up to the CIO (navigating the LDAP hierarchy) to help establish a scope of the problem whether (isolated or wide-spread) and help in identifying a proper remedy across teams and organizations where similar conditions existed.

The aggregated data into a single dashboard rendered the information more accessible and helped in addressing some important concerns and questions: - Measuring indicators of the secure-by-design transformation - Explain the significant variations in the Vulnerability Density and relation to obsolete/dead code clean-up - Rate of reusing common code and its implications on the cost of remediation vs. overall risk and probability of discovery of vulnerabilities - Defining a custom vs. standard training program to yield a higher ROI - Managing remediation through a risk-reduction vs. compliance approach - Building awareness about real threats and cyber-attacks in the wild - Prioritizing the remediation of vulnerabilities (e.g., OWASP Top 10, exploitability, severity) - Distribution of roles and skills in the org (Management vs. individuals, doers vs. management, junior vs. senior, …) - Impact of geographical distribution of team on other indicators

The dashboard was never meant to be a glorified, metric-driven to-do list. Rather, it was intended, through the use of data visualization and pattern correlation, to help in understanding the key drivers of an accelerated and needed culture change.



Manah Khalil

Manah has over 20 years of software engineering in various roles including architecture, design, testing, and security. That helped me look at application security and its impact, seen from the