Helping developers rally for secure code year-round – SecAdvent Day 11
December 11, 2020
Another national cybersecurity awareness month has come and gone, serving as a month-long reminder that there are other scary threats out there, existing outside of the spooky stuff often seen around Halloween in October.
It’s a time of reflection for many companies, some of which use it to assess current levels of security awareness across the organization. Training on social engineering-based vulnerabilities like phishing emails isn’t uncommon, but the best companies dedicate significant time to the technical side of security within the business, and they bring developers on that journey so they can keep cybersecurity front-of-mind as they build software. Typically, this takes the form of some education around coding securely, and perhaps a “capture the flag” style activity or two.
There’s just one problem, however: at the conclusion of these security-focused events, it can be the case that these activities are packed up and put away until the next one. In a climate where cybercrime is tipped to cost the world $6 trillion by 2021, we simply can’t afford to put security on the backburner for eleven months of the year. And the development teams sitting within most organizations are key to stemming the flow of software vulnerabilities and subsequent data breaches, if only they had the knowledge and skills to eradicate common security bugs from the beginning of the software development process.
There are no easy answers when it comes to fighting cyber threats, but if security was intrinsic to the developer workflow, and they were supported to take their rightful place in a seamless DevSecOps environment, we’d be much better off.
To that end, here are some ideas for making security — and secure coding — a theme for developers year-round.
Champion a more secure development process
Helping consumers stay safe online is a noble goal. But companies, especially those that create and deploy software, need to go beyond that. The very best companies will prioritize a full-scale security program that ensures that all employees can play a part in defending private data. And it’s the development team that stands to benefit the most from the right approach.
One of the best ways to support this effort is by establishing security champions within your developer community. Champions are essentially volunteers who help spread the word about an organization’s security message, while staying alert to potential issues as they crop up. They don’t have to be security pros. In fact, the nature of their mission requires that they have other areas of expertise, like high EQ and communication skills. But each champion should have a great interest in security and in ensuring that the organization’s software and applications provide necessary controls and protections.
The most successful organizations place champions in the developer cohort. It’s well known that AppSec teams and developers often clash, because their objectives don’t always seem to be in alignment. But ultimately, they have the same goal of deploying working software in a safe way that both protects and serves their users. Having security champions working together on both sides of that fence can go a long way to uniting the two groups in their common goal. Particularly for developers, becoming security-aware can provide extremely marketable skills that allow them to shine above their less security-minded colleagues.
In a climate where cybercrime is tipped to cost the world $6 trillion by 2021, we simply can’t afford to put security on the backburner for eleven months of the year.
Security as code
Companies that make security a part of their DNA have a far more robust security posture, and are much better equipped to defend against any digital disasters that may come their way. Security best practices needs to be interwoven into everything an organization does right from the beginning, and one of the best ways to do that is by adopting the mantra of infrastructure as code.
This is a relatively new concept, and the idea is that developers who are writing secure code by default can make sure that vulnerabilities are eliminated from programs before they are even deployed. In a sense, security becomes part of the infrastructure of the coding process. Companies can still add firewalls and vulnerability scanners to their defensive architecture to protect their networks, but if the code running their applications is secure to begin with, then the tooling suite won’t have as much to do. A security program should always be optimized, and while tools will always be part of a strong posture, when developers are coding securely it will mean the SAST (and other AST) scanners will be focusing on edge cases, hard-to-find problems, and not bogged down with the small stuff.
And if you can automate this process to help your developers embrace it, so much the better. Automating development with infrastructure as code allows an organization to declare the intended state of its infrastructure as an overarching policy, providing instructions for configuring applications while standardizing and simplifying the process. Instead of manually making changes after an application has been deployed, the desired configuration is entered in a repository where it can be vetted and approved for execution so that software is created and deployed exactly as specified, every single time.
Security awareness starts with support
There is no better time to start developing a strong internal community that embraces the concepts of security champions, best practices, and infrastructure as code, and empowering developers with the right tools, knowledge, and motivation to code securely is a huge win for the organization (and a huge headache for the bad guys). Prioritize relevant training, and actively listen to the concerns of developers if processes are changed to accommodate security. What could be done to make things more seamless for them? Do they need more time to get up to speed, or access to tooling? Work with them for viable, mutually beneficial solutions, and your organization can only thrive in making security numero uno in your software development process.
About Matias Madou
Matias Madou, Ph.D. is a security expert, researcher, and CTO and co-founder of Secure Code Warrior. When he is away from his desk, he serves as an instructor for advanced application security training courses and regularly speaks at global conferences including RSA Conference, Black Hat, DefCon, BSIMM, OWASP AppSec, and BruCon. He also loves a Fortnite battle or two (or three, or four… ).