Even relatively small security issues on the surface have opened up opportunities for significant cyber-attacks. The Log4Shell exploit is a recent example of how a malicious code has revealed opportunities for a successful attack. Many businesses have admitted to knowingly shipping vulnerable code, and clearly, this is a calculated risk based on time to market with new features and products. However, the consequences of these calculated risks to shipping lower-quality code could be far greater than projected, resulting in very costly data breaches.
Reactivity is commonplace among developers when it comes to secure code, and while varied approaches are valuable for each stage of code development through to deployment, failing to have security at the forefront is a risky strategy that opens up opportunities for a cyber-attack or breach. With this in mind, how do organisations pivot towards preventability while retaining reactive elements as the attack surface widens?
The pitfalls of solely scanning and scrutinising post-deployment
In a technology-driven world, the creation of code is still very much under the jurisdiction of developers. Despite a growing understanding that they hold the responsibility for the implementation of secure code, reactive technology tools such as scanners remain one of the most common methods of upholding security. This typically means scanning code for irregularities or vulnerabilities at the end of the software development lifecycle or scrutinising already-written code for potential vulnerabilities.
The pitfall with this is the fact that potentially vulnerable code has already been published when it is security-checked. Other reactive methods that organisations may also take include measuring the seriousness of defects, checking the elapsed time since the discovery of defects, defect counts and time to resolve defects. The value is then greatly improved when development teams think of security earlier in the software development lifecycle and ensure that secure code is considered under the bracket of quality code. This means adopting preventative strategies alongside reactionary checks.
Training is key to improving secure coding
In recent research from Secure Code Warrior, 53% of respondents said secure code training could most improve productivity by eliminating common software vulnerabilities, and reducing future work, while 52% said it could eliminate errors that later cause re-works or patches. However, the survey also “indicates that while the concept of training is welcome, current training methods are not engaging or informative enough to make the kind of impact needed to truly help organisations evolve into implementing robust secure coding practices.”
Many of the current methods are inadequate and irrelevant, unstructured and unengaging for developers. When asked about what could be done to improve the quality of the training programs at their companies, developers said they wanted to see more of an emphasis on practical training using real-world examples that were relevant to their jobs (30%). More interactivity was also seen as critical by 26% of the respondents, especially if they were able to practice writing secure code as part of that training. Guided training focusing on specific vulnerabilities was seen as important to 23% of the developers surveyed, while 22% wanted to see more vulnerability examples in their training courses.
The development of security champions across every stage of a project can also help to ensure that security requirements stay top of the priority list from inception to delivery while improving alignment and collaboration between teams. Along with a focus on greater awareness of compliance frameworks such as NIST, CIS and PCI DSS in addition to OWASP Top 10, this approach can help developers write secure code at speed.
Ingraining a secure coding culture into the SDLC
To enable secure coding from the start of the Software Development Lifecycle (SDLC), developers must gain the necessary skills to write better code and keep it front-and-centre during all stages, from development to deployment. Empowering them with the knowledge and skills to bake security into written code from the outset will be the key to shifting from reactivity to prevention. This will not only reduce the incidence of vulnerabilities but enable organisations to reduce costs and ship quality code more quickly and confidently.
With developers, a critical cog in making a preventative approach work, enabling secure coding from the outset will also play a positive role for teams. When developers clearly understand the expectations of their managers in terms of what secure code entails, this develops a level of trust and a sense of shared responsibility for the overall level of code quality within the business. Once this happens, the quality of code will ultimately increase and become ingrained into team culture, allowing the strongest security net to be cast over the organisation’s potential attack surface.
About the author: Matias Madou is CTO & Co-Founder at Secure Code Warrior.
[ymal]