Mr Builder: ‘I only had 14 days to build this web app, I don’t have time to keep up with the demands of continuous testing and security.’
Mr Breaker: ‘Your application has insufficient transport layer protection and insecure direct object references and don’t even get me started on the security misconfigurations’.
Mr Builder (Yellow) loves to build, and Mr Breaker (Red) loves to break. It is no wonder why these two do not get along. In many cases, the builders would wait for a penetration test excel sheet from the breakers, google their way to change a few configurations of the code and get back to their job of building more apps/ softwares.
Can we be best friends?
In most organisations, security doesn’t see eye to eye with other teams and work in isolation with other business teams. Security integration is crucial in the development of effective and secure business functions.
Orange team is one such concept in which the Red team inspires and educates the Yellow team to build secure applications. The real reason for application security faults is not malicious programmers, but the lack of security training in the development process. Collaboration between the Yellow and Red team makes everyone’s jobs easier: The Red Team has fewer bugs to report and the Yellow team has fewer bugs to fix.
The job of security professionals is to work with the software builders and not against them.
Orange is the new Purple!
In her research paper ‘Orange is new Purple’, April C. Wright, (Information Security and Compliance expert) addressed the need and techniques to fill the gaps between software builders and security teams. The concept of the purple team has been around for years now. The purple team helps to optimize both the Red team and the Blue team’s efforts to guide an organisation with process improvement and training SMEs to detect an attack.
However, the Purple team fails to address the basic question: ‘Where are these vulnerabilities coming from?’
This is where Orange team comes into play. The prime goal of an Orange team is to equip developers with an attacker’s mindset. As executives and business/ IT leaders, it is important to promote such a collaborative culture between the Red and the Yellow team. The result of this is better coders, who then train each other to embed the security culture.
If you are looking to empower your builders with best security practices, Privasec’s Secure Development Training is a tailored training program for developers, helping them to become better coders. The course covers the following items:
- Introduction to top software vulnerabilities with examples and techniques of preventing them
- An introduction to several Secure System Development Lifecycle (SDLC) methodologies with hands-on training on mitigating systemic issues in large code-based applications.
Learn more about our Secure Development Training here