In the last entry on cultural challenges in application security series, we introduced the “Security is Special” problem. We described the problem where application security issues hold a trump card over other development issues, and how that can erode the relationship between security & development.
In our experience, insisting on high priorities for all security issues is one of the biggest detriments to building productive relationships between security & development. The HTTPOnly cookie example comes up often in the real world. Certainly, there is some inherent risk with not implementing this kind of control, but the cost of fixing it may not outweigh the opportunity cost of closing other defects and/or building features.
Good security teams make the development staff aware of security issue and articulate real risks without hyperbole. They understand and empathize with development teams who have seemingly endless lists of defects to fix and features to implement. Framing security vulnerabilities as defects and prescriptive controls as features allows development teams to make their own trade-off decisions. This, in turn, fosters more trust between development and security which in-turn helps future ease adoption of future application security initiatives.