How to Transform Developers into Security People

Explore a comprehensive approach to transforming developers into security-minded professionals in this 52-minute conference talk. Delve into the challenges of integrating security practices into development workflows, examining why traditional training methods often fall short. Discover the four common developer responses to security initiatives and learn how to tailor your approach to each. Gain insights into creating a programmatic platform for change, addressing developer objections, and fostering a security-focused mindset. Uncover strategies for measuring transformation and acquire valuable secrets for effectively engaging developers in security practices. Learn how to position security as relevant to different developer attitudes, from the unfamiliar to the gung-ho, and build a foundation for a more secure development process.

Introduction
Agenda
The average developer
Myths about security
We already have a security department
The state of developer security
Developers are the first line of defense
Developers think like security people
What defines a security person
Start with why
This is a people problem
Four different answers
The Unfamiliar
Foundational Lessons
Everyone is a Security Person
Proactive Controls
Overworked
Automate
Objections
The Apathetic
The Shock Value
The Pain
Thegungho
Security Community
Security People
Security Behaviors
Security Habits
Security Learning
Experience Security
Community Participation
Planning Resources
Threat Modeling
Security Code Review
Red Teaming
Respond to Security Problems
Putting it All Together
Takeaways
Questions
Behavior not process