Developers are Not Security Experts, but They can be with The Right Tools

By : Patrick Carey | Wednesday, August 05 2020 - 21:45 IWST

Patrick Carey, Director of Product Marketing, Synopsys (Photo by Linkedin)
Patrick Carey, Director of Product Marketing, Synopsys (Photo by Linkedin) - Software has revolutionised the way in which we work, live and play. This is particularly true in the realm of software security, as development teams are releasing code faster than ever before. But with the ever-increasing velocity with which software is released, along with the rise of automation, we’re also witnessing a rapid escalation in cyber-attacks and resulting security breaches. This acceleration may be aided by the steady rise in the usage of open source software, where access is made publicly accessible and can often be easily modified by other parties — of course, pending the license terms associated with the specific open source code.

As more software is being developed each and every day, there’s also a rise in software vulnerabilities. This is why securing the software you’re building is key at each stage of development — from beginning to end of the software development lifecycle (SDLC). However, in reality, developers are often not skilled in software security concepts. In fact, according to Forrester research, out of 40 distinct university computer science programs across the United States, not one requires students to partake in secure coding or secure application design courses.

With little progress towards integrating such courses into the core curriculum in the near future, organisations struggle with the cyber skills gap. According to Forrester’s 2019 Business Technographics Global Security Survey, 21% of security decision makers noted that hiring security employees with the right skills was one of the biggest security challenges they currently face. As such, employees are expected to learn on the job or obtain skills from external sources to infuse security mechanisms into their work.

The reality of the lack of secure coding or secure application design training may be a contributing factor in the rise of security breaches — with 33% of organisations suffering a breach as a result of an externally initiated attack.

While your developers may not be trained to be security experts, they can learn to become savvier with regards to the software they build with the support from their organisations. Let’s walk through three actionable ways to enable your developers through tooling solutions that integrate into their current processes without slowing them down:

1. Getting the foundation right

Open source is a massive asset to development teams. In fact, as one Gartner report puts it, “In most modern DevOps development projects, the majority of code used in an application is made up of open source.” At the same time, open source vulnerabilities are increasing tremendously each year. There was a 50% increase in reported open source vulnerabilities from 2018 to 2019. To reap the benefits of open source components securely, consider implementing a software composition analysis (SCA) solution early within the SDLC.

Static application security testing (SAST) is another tooling solution that establishes a security precedent early in the development process. By implementing a SAST solution early, vulnerabilities can be identified and remediated earlier which saves your organisation both time and money.

In order to achieve a more streamlined and hassle-free development process, more testing should be implemented at the design and development stages. Imagine coding a widget finding a vulnerability a week later and having to look through the code again; it’s extremely inconvenient and time-consuming. Thus, identifying vulnerabilities early help developers manage turn-around time, making security and development a lot easier and more productive.

2. Learning from coding mistakes in real-time and beyond

There are tools that can seamlessly fit into the integrated development environment (IDE) in which developers write code. Security tools such as the Code Sight IDE plugin scan code and identify vulnerabilities enabling developers to identify and fix flaws in their code in real-time. Additionally, IDE integration tools such as Code Sight act as an educational resource in which developers can learn from new and common mistakes they make as they work. Suggested enhancements and contextual information are offered to help the developer understand more about the potential vulnerability.

If a developer would like more information about a particular security issue, there are additional resources available. There are brief eLearning courses tailored to developers for ongoing training. Resources like this make debugging code faster and more effective on an ongoing basis, whether the developer enters your organisation with a security background or not.

3. Scale up as you shift left within the SDLC

Shifting security activities left (in other words, earlier) in the development process may seem daunting to developers where speed is of the utmost importance. However, development teams can adopt additional tooling and resources such as those we’ve just covered as they scale up, shift left, and do so without dampening development velocity.

Embracing open source software, looking to automate detection and identification as well as shifting security earlier in the development process are the future.

And despite the widespread lack of skilled secure development experts, tapping the right tools and resources will aid developers in managing security throughout the development process. Applying multiple techniques at various stages in the SDLC also enable organisations to lower their risk potential without compromising the focus of development teams — hitting delivery deadlines and maintaining development velocity by infusing security throughout, rather than tacking it on at the end of the process.

News Comment

Today's Industry

Minister of Finance Sri Mulyani Indrawati (Photo by PR of Cabinet Secretariat)

Senin, 21 Juni 2021 - 22:37 WIB

Finance Minister Pushes for Speeding Up Regional Fund Usage

Realization of funds transferred to the regions for COVID-19 management needs to be accelerated, Minister of Finance Sri Mulyani Indrawati has said.

vaccine arrives at Soekarno Hatta International Airport in Tangerang, Banten

Senin, 21 Juni 2021 - 21:40 WIB

10 Million Sinovac COVID-19 Vaccine Bulks Arrive in Indonesia

As many as 10 million Sinovac-manufactured COVID-19 vaccines in the form of raw material or bulk Sunday (20/06) arrived at Soekarno-Hatta airport in Tangerang city, Banten province.

President Jokowi inspects mass COVIID-19 vaccination at Bogor Railway Station, Thursday, (17/06). Photo by: BPMI of Presidential Secretariat.

Senin, 21 Juni 2021 - 20:30 WIB

Minister Orders KAI to Provide COVID-19 Random Tests at Commuter Line Stations

Minister of Transportation Budi Karya Sumadi has ordered state railway company PT KAI to provide COVID-19 random tests for passengers of Greater Jakarta commuter line (KRL Jabodetabek).

Vice President Ma’ruf Amin. (Photo by: Vice President’s Secretariat)

Senin, 21 Juni 2021 - 19:23 WIB

VP Ma’ruf Amin: 40% of Gov’t Goods, Services to be Procured from Local MSMEs

The Government continues to promote the use of domestic products through allocation of Micro, Small, and Medium-sized Enterprises (MSMEs) products of at least 40 percent for the Government’s…

Vice President Ma’ruf Amin during Closing of National Conference on Public Security and Defense System, at Sentul, West Java province, Friday (18/6). (Photo: Vice President Secretariat)

Minggu, 20 Juni 2021 - 19:24 WIB

VP Calls for Increased Role of Security, Defense System Amid Global Challenges

The role of security and defense system should be strengthened to protect the entire nation, state and all citizens in facing the increasing global challenges, Vice President Ma’ruf Amin has…