"That creates a sense that it's everyone's job," Snyder says.
The argument for more clearly defined security roles
That maxim that everyone is responsible for promoting security on its face sounds simple enough, but not everyone is on board. Count among the dissenters Jonathan Carter, a veteran security professional and software engineer who argues for more clearly delineated roles within the development team.
"I take a slightly more controversial approach," Carter says. "Whenever I see something like 'security is everyone's responsibility,' that makes me cringe inside because, really, that means security is no one's responsibility. It's the diffusion of responsibility psychological principle, where suddenly it's on no one's radar and it's just this amorphous concept. So as a software engineer, I would say your responsibility is to identify issues and confer with your local security champion within your immediate team."
There was scant disagreement, however, on the broader point that startups and mature companies alike would do well to elevate security as an organizational priority.
And to the concern that a more security-intensive development process would carry more cost than a cash-strapped startup could afford -- to say nothing of the delay in time to market -- Akhawe urges firms to consider the alternative, the disastrous effects of a breach or the release of a product with glaring vulnerabilities.
"Security's much, much, much cheaper the earlier you do it," he says.
Sign up for Computerworld eNewsletters.