So, you’ve just started your job as a developer at a new company. Congratulations! Before you dive into writing code, there’s something you should do first: check your company’s information security policy!
If you’re like I was back in the day, you want to roll up your sleeves, sit in front of a keyboard, and prove to the rest of the team (or maybe just your boss) that you’re a peerless developer who can crank code out buckets of profound code. There are models, views, and controllers that need developed — who has time for reading something dry like a security policy?
You do! If you want to maximize your success, you should make time. Why? Because you need to know how to fulfill the security obligations that your company has decided to take on. Those can take many forms. A young and small company may decide that it doesn’t need a security policy. That’d be useful for you to know, because in the event of some kind of public security “issue,” how do you think the public will react? And if the public reacts badly, how will your management team react? If a company doesn’t have a security policy of some form, you should see that as a warning: the company may not take security seriously, so you should keep your options open.
Another company may be more wise — it may understand the value a clearly written security policy has for an organization and its customers. The company’s making a statement that security is important. That’s reassuring to customers in this day and age where bad actors break into companies and steal data all the time. Some customers are sophisticated enough to demand certifications that require an information security policy. ISO 27001, though not really popular in the United States, is one example. If you’re interested, I’ve had really good luck with 27001 Academy at advisera.com. They have a clear writeup on what makes a good information security policy. And if you’re really interested, you can download free abbreviated examples or buy more extensive samples from the same site.
Within the United States, it’s more likely that smart companies will have an information security policy without the ISO certification. The site sans.org has some great free examples of information security polices of various kinds.
Again, why’s this important?
I’ve been a developer for a long time. I remember getting excited when dBase III (not III+ — that came later!) allowed me to use ASCII characters to draw boxes around menus. In my experience, there are a handful of traits that the most successful developers are. One of those traits?
Respect for security.
As a new or intermediate developer, taking security seriously — being able to build secure code in about the same amount of time it takes other developers to crank out less secure code — will set you apart.
You’ll be better able to delight your customers. In the final analysis, delighted customers are what it’s all about.
What do you think? Does your company have a robust and well-written security policy? Has the concept even occurred to them? Let me know in the comments!
by Terrance A. Crow
Terrance has been writing professionally since the late 1990s — yes, he’s been writing since the last century! Though he started writing about programming techniques and security for Lotus Notes Domino, he went on to write about Microsoft technologies like SQL Server, ActiveX Data Objects, and C#. He now focuses on application security for professional developers because… Well, you’ve watched the news. You know why!