Wearing a face mask to prevent coronavirus is becoming the norm in my city. It was hit heavily by the COVID crisis, and now we have reached an unspoken consensus: wear masks, wherever you go.
This is quite different from where we were just a few months ago. Face masks had a bad reputation, and the local health department had a hard time getting people to wear them. What was stopping people from wearing masks? It turns out, people hate masks because they make breathing difficult, make glasses foggy, and can look quite awkward. But the pros of masks outweigh the cons. And by wearing face masks, we protect ourselves and our communities from the virus.
Application security is like wearing masks. Implementing secure practices requires a lot of effort but is ultimately good for you. Security tools get a bad rep. Developers worry they would slow them down, make their work look bad, or even cost them their jobs when something goes wrong. In particular, static analysis tools are known for producing false positives that require a lot of manpower to deal with. Remediation advice is usually generic and cryptic, requiring the developers to spend time reading through extended documentation.
Despite these barriers, how can we create a culture around prioritizing application security like we created a culture of wearing masks?