Have a meeting to communicate the problem and risks to developers #3
Labels
developers
Involves interaction with your developers in some shape or form
essential
If at all possible, you should do this
Milestone
Comments
marietheresa
added
developers
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Just bring it up. If you have a regular meeting with your developers - great use that. If you don't, maybe there's another regular meeting where you can get 10 minutes to discuss security topics. The point of this issue is to make everyone aware that you're working on something that will likely result in a change that will affect them.1 So explain the thing, explain why and how it poses risks to your organization, and promise to keep everyone updated (and then actually do #4 ).
So, if I were trying to communicate why we need a security scanning tool, I'd talk about how we currently don't know how secure our source code is, how that puts us at risk from vulnerabilities in our own source code, but also known vulnerabilities in external dependencies and how easy it is to find secrets (often in an automated way) in repositories. And how you can't improve, what you don't measure.
Footnotes
These initial meetings are also an excellent way to find people who are already aware of the problem, and I promise you they exist. Those people can be really great allies and/or partners. Have them give you feedback early and often, let them point out favourable and unfavourable management, have them tell you about their pain points and use those in Host introductory workshops to enable developers #10. ↩
The text was updated successfully, but these errors were encountered: