When you think about code security and who’s responsible for it, security teams often come to mind first. Traditionally, it’s their job to become familiar with the software, identify vulnerabilities, pen test, and form a response to potential security incidents. In truth, security should be an inter-team effort from strategy to deployment. As a developer, employing good security practices not only helps the security team but also allows you to create higher quality software more efficiently. Here are four essential tips to become a more secure developer.
1. Embrace security as a partnership
One of the best ways to become a secure developer is realizing that security is a partnership — a responsibility that rests on security professionals, engineers, and even business stakeholders.
In a recent episode of The Secure Developer podcast Tim Crothers, (SVP Chief Security Officer, Mandiant) explained that all development teams should be aligned on the effects of coding. “I’ve found at several organizations now, where I’ve helped build DevSecOps capability, that as we produce more secure code, inevitably, we’re producing more quality code as well.” (Crothers)
Understanding this relationship should improve communication between security and development teams. Developers must be open and honest about the potential hurdles that security team suggestions may produce. At the same time, security teams should avoid applying guardrails to developers without discussing the development team’s vision.
A true partnership between developers and the security team helps “produce things that solve business and security needs. And ultimately, […] drives innovation.” (Crothers)
2. Be aware of the software you ingest
If the Log4Shell incident taught us anything, it’s that vulnerabilities can present themselves even in widely used and trusted sources.
In Episode 110 of The Secure Developer, Guy and Jonathan Meadows (Head of Cloud Cybersecurity, Citigroup), discussed how important it is to know what software you are ingesting.
“[Ensure] you have a good understanding of how you’re developing your own source code and leveraging those open source components,” said Meadows. A good first step is compiling a software bill of materials (SBOM), a best practice that is currently championed by Dr. Allan Friedman of the Cybersecurity and Infrastructure Security Agency. An SBOM is a list of the components, usually open source, that make up a product. Embracing this concept, and creating such a list, will help both developers and security personnel know what’s going into their application.
Developers looking to improve their security skills should install the Open Source Security Foundation’s Scorecards GitHub Action. It automatically scans open source projects after any repository change, and allows maintainers to view security alerts right on their GitHub dashboard. When you mitigate vulnerabilities during product development, there are fewer roadblocks and problems when it’s time for deployment.
3. Understand potential use cases for your product
Discovering the possibilities of your software is exciting. In a fast-paced, digital world, it’s tempting to see innovation possibilities and be the first to fulfill them. However, it’s important for developers to consider all the ways their product might be used.
For Rinki Sethi (Vice President and Chief Information Security Officer, Twitter), personnel who can see potential use cases from the customer lens are highly valuable. Teams need “people who can really sit in the shoes of the customer so that we can enable development teams.” (Sethi)
Understanding customer use cases helps developers see the potential risks their application faces — which is critical to improving communication with security teams.
4. Take advantage of security champion programs
Many organizations run “security champions” programs to train developers in secure coding practices and foster partnership between security and development teams.
In Episode 84 of The Secure Developer, Nick Vinson (DevSecOps Lead, Pearson), explained that “the real strategy for deploying [developer security] at scale is through the security champions program where we have a nominated developer in each team who’s responsible for security. Then we train them up.” (Vinson)
The program’s main purpose “is the training and the knowledge transfer to the security champion” who then passes the knowledge and skills to the rest of their team (Vinson).
Security champion programs are one of the best ways to deliver in-house security training. From promoting collaboration to establishing security standards across teams, each developer has the opportunity to become more secure.
If you’re a developer looking for more security tips from some of the best minds in the industry, check out The Secure Developer on Apple Podcasts, Spotify, or wherever you get your podcasts.
Senior Manager, Global Communities at Snyk
About Sam Hepburn
Sam has spent the past decade in London becoming a well-known face of the tech startup scene. Working with a variety of organisations within London and now globally building some of the largest tech communities in the world. Her main aim is to create environments for individuals to feel welcome and for communities to flourish.
She’s currently leading the community team at Snyk.io including DevSecCon helping developers adopt security into their development workflows. She is the producer of The Secure Developer podcast and on the Steering committee for Devoxx UK.