How to Cyber Security, It’s all about developers, except when it’s not
By : Krishna Anindyo | Thursday, February 20 2020 - 14:07 IWST
Synopsys Software Integrity Group (Images by BusinessNews Indonesia)
INDUSTRY.co.id - To get security testing results in front of developers, who are in the best position to address them effectively, you need automation and integration. Product security is hard. The goal is to minimise risk by finding and fixing as many vulnerabilities as possible.
Developers create vulnerabilities. A vulnerability is born every time a developer does not correctly handle a corner case, or forgets to validate some input, or makes some other mistake. Knowing this, you can quickly use logic to come to a completely incorrect conclusion.
Developers make vulnerabilities, Vulnerabilities increase risk. Therefore, to reduce risk, let’s make it so developers won’t make mistakes. We’ll use a combination of public shaming and security education. The problem is not that developers are unaware of security, or disinterested.
Well, sometimes that is the problem, but more on that later. The real reason developers make vulnerabilities is that they are human. The reason these vulnerabilities persist into released products is that developers are working inside a broken system.
Developers really are rock stars. With tongue in cheek, we sometimes say that developers are rock stars. The analogy makes sense. Suppose you went to see a concert by the Jonas Brothers. The Jonas Brothers are the developers in this scenario.
While they bring their own talents to the event, it won’t be much of an experience without the instrumentalists in the band, the lighting technicians, the sound people, the ticket sellers, the people that take care of the venue, and so forth. Performers cannot succeed if they are not placed in an environment that helps them succeed.
Likewise, if you want to minimise risk in the products you’re making, you must surround your developers with a process that helps them succeed.
The system is broken. Unfortunately, developers are trained to value functionality above all else. Think about it. When undergraduate computer science students have to do homework, they start with a list of requirements, the assignment itself.
They use whatever they can get to fulfill the requirements. Beyond that, some assignments have automated tests that must also be passed. The students are focused solely on providing the required functionality.
Fast-forward to the workplace, where the story is much the same. Developers start with a list of requirements, created by a product manager or a designer. They use whatever they can get to fulfill the requirements. Beyond that, they might have to pass some automated tests. The developers are focused solely on providing the required functionality.
It’s akin to asking someone who has just learned how to nail two pieces of wood together to build a house. Would you feel safe walking around on the upper floor? Would the walls stay up in a strong wind?
With the right tools, developers can be your biggest asset. Through a combination of intense security training and a program of severe punishments for security vulnerabilities, we should be able to make developers write better code, right?
Security training is an excellent idea. Among other benefits, security training will help developers write better code. But no matter how much training your developers get, they are still human and will still make mistakes.
The key is improving the process and giving your developers the right tools. Instead of having developers focus solely on functional hurdles, add security testing tools into the automated build and test processes. With the right integrations, developers can work from the same to-do list they’ve already been using likely Jira and fix functional and security issues in the same smooth workflow.
Let developers be developers. Developers are the creative heart of your product organisation. Part of the work of moving to a secure development life cycle is trying to minimise disruption to your organisation. While it is important to provide security education to everyone in the organisation, including developers, you cannot expect that developers will start writing code that is free of vulnerabilities.
The keys to effectively implementing security testing are integration and automation. Security testing has to happen automatically, and it has to work with your existing processes. Developers are at the center of this dance, so it’s important to get security testing results in front of developers just like you would with any other type of test results.
Integrating with existing build pipelines and issue tracking systems provides this visibility, and an IDE-based solution like Code Sight provides even tighter feedback loops, accelerating your secure development process. With the right tools, developers will help your team create more secure, more robust, better products.