How to Cyber Security, It’s all about developers, except when it’s not

By : Krishna Anindyo | Thursday, February 20 2020 - 14:07 IWST

Synopsys Software Integrity Group (Images by BusinessNews Indonesia)
Synopsys Software Integrity Group (Images by BusinessNews Indonesia)

INDUSTRY.co.id - To get security testing results in front of developers, who are in the best position to address them effectively, you need automation and integration. Product security is hard. The goal is to minimise risk by finding and fixing as many vulnerabilities as possible.

Developers create vulnerabilities. A vulnerability is born every time a developer does not correctly handle a corner case, or forgets to validate some input, or makes some other mistake. Knowing this, you can quickly use logic to come to a completely incorrect conclusion.

Developers make vulnerabilities, Vulnerabilities increase risk. Therefore, to reduce risk, let’s make it so developers won’t make mistakes. We’ll use a combination of public shaming and security education. The problem is not that developers are unaware of security, or disinterested.

Well, sometimes that is the problem, but more on that later. The real reason developers make vulnerabilities is that they are human. The reason these vulnerabilities persist into released products is that developers are working inside a broken system.

Developers really are rock stars. With tongue in cheek, we sometimes say that developers are rock stars. The analogy makes sense. Suppose you went to see a concert by the Jonas Brothers. The Jonas Brothers are the developers in this scenario.

While they bring their own talents to the event, it won’t be much of an experience without the instrumentalists in the band, the lighting technicians, the sound people, the ticket sellers, the people that take care of the venue, and so forth. Performers cannot succeed if they are not placed in an environment that helps them succeed.

Likewise, if you want to minimise risk in the products you’re making, you must surround your developers with a process that helps them succeed.

The system is broken. Unfortunately, developers are trained to value functionality above all else. Think about it. When undergraduate computer science students have to do homework, they start with a list of requirements, the assignment itself.

They use whatever they can get to fulfill the requirements. Beyond that, some assignments have automated tests that must also be passed. The students are focused solely on providing the required functionality.

Fast-forward to the workplace, where the story is much the same. Developers start with a list of requirements, created by a product manager or a designer. They use whatever they can get to fulfill the requirements. Beyond that, they might have to pass some automated tests. The developers are focused solely on providing the required functionality.

It’s akin to asking someone who has just learned how to nail two pieces of wood together to build a house. Would you feel safe walking around on the upper floor? Would the walls stay up in a strong wind?

With the right tools, developers can be your biggest asset. Through a combination of intense security training and a program of severe punishments for security vulnerabilities, we should be able to make developers write better code, right?

Security training is an excellent idea. Among other benefits, security training will help developers write better code. But no matter how much training your developers get, they are still human and will still make mistakes.

The key is improving the process and giving your developers the right tools. Instead of having developers focus solely on functional hurdles, add security testing tools into the automated build and test processes. With the right integrations, developers can work from the same to-do list they’ve already been using likely Jira and fix functional and security issues in the same smooth workflow.

Let developers be developers. Developers are the creative heart of your product organisation. Part of the work of moving to a secure development life cycle is trying to minimise disruption to your organisation. While it is important to provide security education to everyone in the organisation, including developers, you cannot expect that developers will start writing code that is free of vulnerabilities.

The keys to effectively implementing security testing are integration and automation. Security testing has to happen automatically, and it has to work with your existing processes. Developers are at the center of this dance, so it’s important to get security testing results in front of developers just like you would with any other type of test results.

Integrating with existing build pipelines and issue tracking systems provides this visibility, and an IDE-based solution like Code Sight provides even tighter feedback loops, accelerating your secure development process. With the right tools, developers will help your team create more secure, more robust, better products.

News Comment

Today's Industry

Photo: Aris Nurjani/VOI

Rabu, 28 Februari 2024 - 12:47 WIB

Carsurin and NBRI Strengthen Strategic Alliance to Propel Indonesia’s EV Industry

PT Carsurin Tbk ("Carsurin") and the National Battery Research Institute ("NBRI") are pleased to announce the signing of a pivotal Strategic Alliance Agreement (SAA), marking a significant advancement…

Beras (Foto/Rizki Meirino)

Rabu, 21 Februari 2024 - 08:43 WIB

Gov’t to Continue Disbursing Rice Assistance

President Joko “Jokowi” Widodo has ensured that the Government will continue rolling out the rice assistance program for low-income families. The President made the statement when handing…

Ilustrasi pabrik beras. (Foto: DetikFood)

Rabu, 21 Februari 2024 - 08:40 WIB

Bapanas Head Ensures Availability of Rice Stock Ahead of Ramadan

The National Food Agency (Bapanas) has ensured the availability of rice for the fasting month of Ramadan and Eid al-Fitr 1445 Hijri/2024 CE. “We believe that there is enough rice for the fasting…

Receives Chairman of Jababeka (KIJA), Menpora Dito Ready to Support the Development of Sports SEZs

Rabu, 21 Februari 2024 - 08:23 WIB

Receives Chairman of Jababeka (KIJA), Menpora Dito Ready to Support the Development of Sports SEZs

Chairman of PT Jababeka Tbk (KIJA), Setyono Djuandi Darmono met the Minister of Youth and Sports of the Republic of Indonesia (Menpora RI) Dito Ariotedjo at the Kemenpora RI Office, Senayan,…

The Indonesian Embassy in Cairo Receives Aid for Palestine

Senin, 19 Februari 2024 - 17:39 WIB

The Indonesian Embassy in Cairo Receives Aid for Palestine

The Indonesian Embassy in Cairo welcomes the Radjiman Wedyodiningrat Warship (RJW-992) which arrived at the Al Arish Port, North Sinai Province of Egypt at 8.00 A.M. Cairo local time (13/02).…