Developers are Not Security Experts, but They can be with The Right Tools
By : Patrick Carey | Wednesday, August 05 2020 - 21:45 IWST
Patrick Carey, Director of Product Marketing, Synopsys (Photo by Linkedin)
INDUSTRY.co.id - Software has revolutionised the way in which we work, live and play. This is particularly true in the realm of software security, as development teams are releasing code faster than ever before. But with the ever-increasing velocity with which software is released, along with the rise of automation, we’re also witnessing a rapid escalation in cyber-attacks and resulting security breaches. This acceleration may be aided by the steady rise in the usage of open source software, where access is made publicly accessible and can often be easily modified by other parties — of course, pending the license terms associated with the specific open source code.
As more software is being developed each and every day, there’s also a rise in software vulnerabilities. This is why securing the software you’re building is key at each stage of development — from beginning to end of the software development lifecycle (SDLC). However, in reality, developers are often not skilled in software security concepts. In fact, according to Forrester research, out of 40 distinct university computer science programs across the United States, not one requires students to partake in secure coding or secure application design courses.
With little progress towards integrating such courses into the core curriculum in the near future, organisations struggle with the cyber skills gap. According to Forrester’s 2019 Business Technographics Global Security Survey, 21% of security decision makers noted that hiring security employees with the right skills was one of the biggest security challenges they currently face. As such, employees are expected to learn on the job or obtain skills from external sources to infuse security mechanisms into their work.
The reality of the lack of secure coding or secure application design training may be a contributing factor in the rise of security breaches — with 33% of organisations suffering a breach as a result of an externally initiated attack.
While your developers may not be trained to be security experts, they can learn to become savvier with regards to the software they build with the support from their organisations. Let’s walk through three actionable ways to enable your developers through tooling solutions that integrate into their current processes without slowing them down:
1. Getting the foundation right
Open source is a massive asset to development teams. In fact, as one Gartner report puts it, “In most modern DevOps development projects, the majority of code used in an application is made up of open source.” At the same time, open source vulnerabilities are increasing tremendously each year. There was a 50% increase in reported open source vulnerabilities from 2018 to 2019. To reap the benefits of open source components securely, consider implementing a software composition analysis (SCA) solution early within the SDLC.
Static application security testing (SAST) is another tooling solution that establishes a security precedent early in the development process. By implementing a SAST solution early, vulnerabilities can be identified and remediated earlier which saves your organisation both time and money.
In order to achieve a more streamlined and hassle-free development process, more testing should be implemented at the design and development stages. Imagine coding a widget finding a vulnerability a week later and having to look through the code again; it’s extremely inconvenient and time-consuming. Thus, identifying vulnerabilities early help developers manage turn-around time, making security and development a lot easier and more productive.
2. Learning from coding mistakes in real-time and beyond
There are tools that can seamlessly fit into the integrated development environment (IDE) in which developers write code. Security tools such as the Code Sight IDE plugin scan code and identify vulnerabilities enabling developers to identify and fix flaws in their code in real-time. Additionally, IDE integration tools such as Code Sight act as an educational resource in which developers can learn from new and common mistakes they make as they work. Suggested enhancements and contextual information are offered to help the developer understand more about the potential vulnerability.
If a developer would like more information about a particular security issue, there are additional resources available. There are brief eLearning courses tailored to developers for ongoing training. Resources like this make debugging code faster and more effective on an ongoing basis, whether the developer enters your organisation with a security background or not.
3. Scale up as you shift left within the SDLC
Shifting security activities left (in other words, earlier) in the development process may seem daunting to developers where speed is of the utmost importance. However, development teams can adopt additional tooling and resources such as those we’ve just covered as they scale up, shift left, and do so without dampening development velocity.
Embracing open source software, looking to automate detection and identification as well as shifting security earlier in the development process are the future.
And despite the widespread lack of skilled secure development experts, tapping the right tools and resources will aid developers in managing security throughout the development process. Applying multiple techniques at various stages in the SDLC also enable organisations to lower their risk potential without compromising the focus of development teams — hitting delivery deadlines and maintaining development velocity by infusing security throughout, rather than tacking it on at the end of the process.