Greetings readers.  As I travel and meet with large enterprise customers of HP's I've learned something new that I wanted to share.  Maybe it's only obvious to me, and maybe I'm behind the times - but it appears to me that we (and by "we" I mean us security folks) have vastly over-complicated our relationship with developers.  Shame on us.

 If you don't agree with me, read on.  If you already agree, simply nod your head and move on, as I'll be preaching to the choir.

My point is that as the IT Security function we have entirely forgotten what makes a good security process work - simplicity and adoption.  We've made our proceses so hard to follow that our adoption rates are abismal and yet we wonder why our application security programs are failing.

 Without telling you what tools you should be using (so I don't sound like a sales pitch) here are the things that work more than they fail...

1. K.I.S.S. - Keep It Simple Security!  Why do things need to be complicated to be powerful & effective?
1. Model your process around the target audience - find out how your developers work and make sure the tools you recommend are inline with that function.  If your developers do weekly builds but write code all day long ask yourself if it makes sense to "security check" that code at build time, or from within the IDE as they write it?
2. Check --> Understand --> Remediate - Your process must be this simple.  The security check must be ultra-simple to execute, it must give developers the ability to understand what is wrong (watch the false positives!) and it must provide them with immediate feedback on how to remedy the situation
2. Use the carrot, not the stick - Forcing people to use something makes you a tyrant; helping them succeed makes you a trusted advisor
1. Gather metrics
2. Use metrics to reward those developers who are getting better
3. Public floggings are a great way to make sure people are too afraid of the results to use your process
3. Avoid work duplication
1. Developers love shortcuts; quite simply - help your developers do something right once and then re-use that process/module for the future
2. Allow others to learn from the lessons of the one.

 Just some thoughts... don't take my word for it though.  Sit down with your developers.  Ask them what would make "security" work for them and you'll hear many of the above things said!

 Good luck.