Developers are Not Security Experts, but They can be with The Right Tools

By : Patrick Carey | Wednesday, August 05 2020 - 21:45 IWST

Patrick Carey, Director of Product Marketing, Synopsys (Photo by Linkedin)
Patrick Carey, Director of Product Marketing, Synopsys (Photo by Linkedin)

INDUSTRY.co.id - Software has revolutionised the way in which we work, live and play. This is particularly true in the realm of software security, as development teams are releasing code faster than ever before. But with the ever-increasing velocity with which software is released, along with the rise of automation, we’re also witnessing a rapid escalation in cyber-attacks and resulting security breaches. This acceleration may be aided by the steady rise in the usage of open source software, where access is made publicly accessible and can often be easily modified by other parties — of course, pending the license terms associated with the specific open source code.

As more software is being developed each and every day, there’s also a rise in software vulnerabilities. This is why securing the software you’re building is key at each stage of development — from beginning to end of the software development lifecycle (SDLC). However, in reality, developers are often not skilled in software security concepts. In fact, according to Forrester research, out of 40 distinct university computer science programs across the United States, not one requires students to partake in secure coding or secure application design courses.

With little progress towards integrating such courses into the core curriculum in the near future, organisations struggle with the cyber skills gap. According to Forrester’s 2019 Business Technographics Global Security Survey, 21% of security decision makers noted that hiring security employees with the right skills was one of the biggest security challenges they currently face. As such, employees are expected to learn on the job or obtain skills from external sources to infuse security mechanisms into their work.

The reality of the lack of secure coding or secure application design training may be a contributing factor in the rise of security breaches — with 33% of organisations suffering a breach as a result of an externally initiated attack.

While your developers may not be trained to be security experts, they can learn to become savvier with regards to the software they build with the support from their organisations. Let’s walk through three actionable ways to enable your developers through tooling solutions that integrate into their current processes without slowing them down:

1. Getting the foundation right

Open source is a massive asset to development teams. In fact, as one Gartner report puts it, “In most modern DevOps development projects, the majority of code used in an application is made up of open source.” At the same time, open source vulnerabilities are increasing tremendously each year. There was a 50% increase in reported open source vulnerabilities from 2018 to 2019. To reap the benefits of open source components securely, consider implementing a software composition analysis (SCA) solution early within the SDLC.

Static application security testing (SAST) is another tooling solution that establishes a security precedent early in the development process. By implementing a SAST solution early, vulnerabilities can be identified and remediated earlier which saves your organisation both time and money.

In order to achieve a more streamlined and hassle-free development process, more testing should be implemented at the design and development stages. Imagine coding a widget finding a vulnerability a week later and having to look through the code again; it’s extremely inconvenient and time-consuming. Thus, identifying vulnerabilities early help developers manage turn-around time, making security and development a lot easier and more productive.

2. Learning from coding mistakes in real-time and beyond

There are tools that can seamlessly fit into the integrated development environment (IDE) in which developers write code. Security tools such as the Code Sight IDE plugin scan code and identify vulnerabilities enabling developers to identify and fix flaws in their code in real-time. Additionally, IDE integration tools such as Code Sight act as an educational resource in which developers can learn from new and common mistakes they make as they work. Suggested enhancements and contextual information are offered to help the developer understand more about the potential vulnerability.

If a developer would like more information about a particular security issue, there are additional resources available. There are brief eLearning courses tailored to developers for ongoing training. Resources like this make debugging code faster and more effective on an ongoing basis, whether the developer enters your organisation with a security background or not.

3. Scale up as you shift left within the SDLC

Shifting security activities left (in other words, earlier) in the development process may seem daunting to developers where speed is of the utmost importance. However, development teams can adopt additional tooling and resources such as those we’ve just covered as they scale up, shift left, and do so without dampening development velocity.

Embracing open source software, looking to automate detection and identification as well as shifting security earlier in the development process are the future.

And despite the widespread lack of skilled secure development experts, tapping the right tools and resources will aid developers in managing security throughout the development process. Applying multiple techniques at various stages in the SDLC also enable organisations to lower their risk potential without compromising the focus of development teams — hitting delivery deadlines and maintaining development velocity by infusing security throughout, rather than tacking it on at the end of the process.

News Comment

Today's Industry

Harman Professional Experience Center, located at Desound Melawai, South Jakarta. (Photo: the Company's PR)

Rabu, 09 Juli 2025 - 08:55 WIB

Indonesia's First Harman Professional Experience Center Opens in Jakarta

PT Inti Megah Swara (IMS Indonesia) announces the grand opening of the country's first Harman Professional Experience Center, located at Desound Melawai, South Jakarta.

One of Apartments offered by Savyavasa and Permata Bank Launch Exclusive Foreign Mortgage Program

Senin, 09 Juni 2025 - 14:22 WIB

Savyavasa and Permata Bank Launch Exclusive Foreign Mortgage Program

Savyavasa, a luxury residential development by Swire Properties and JSI Group under PT Jantra Swarna Dipta, in collaboration with Permata Bank, presents a new solution for foreign nationals…

President Prabowo in Thailand

Rabu, 21 Mei 2025 - 10:09 WIB

Indonesia, Thailand Sign MoU on Health Sector, Focusing on Global Capacity, Collaboration

As a part of President Prabowo Subianto’s official visit to Thailand, both countries signed a Memorandum of Understanding (MoU) on health sector, in an effort to strengthen bilateral cooperation…

President Prabowo in Thailand

Rabu, 21 Mei 2025 - 10:06 WIB

Indonesia, Thailand Deepen Cooperation on Security, Trade, and Regional Stability

resident Prabowo Subianto has reaffirmed Indonesia’s strong commitment to deepening bilateral relations with Thailand during the meeting with Thailand’s Prime Minister Paetongtarn Shinawatra…

SD Darmono CEO Jababeka Group with Boediman Widjaja CEO JOE Green Group

Selasa, 20 Mei 2025 - 12:44 WIB

Boediman Widjaja's Technology Ready to be Adopted in Jababeka Industrial Estate (KIJA)

In an exclusive seminar entitled "A Great Step: Boediman Widjaja Story - Going from Indonesia, Thriving in Singapore" held at the President Lounge, Menara Batavia, Boediman Widjaja, Founder…