Developers’ key role within software engineering security
Application security has changed and evolved throughout the years. However, it is clear to see it failed to keep up with how software engineering has evolved. Developers are asked to code better and faster, improving features… which has a negative impact on sound security and quality practices. As a result, the code produced becomes more vulnerable, easier to hack… and the danger of falling victim to cyber-criminality starts to rise.
Developers have a key role in maintaining great security and quality within their daily coding practices. Most companies still struggle to join the dots when putting security and productivity on the same level.
Ask yourself the following : What if incorporating security from the start led to being more productive?
A look-back : Penetrate and Patch.
If we look back at the last 20 years, software engineering has been evolving at a high pace, with the accent put on quickness and features. As a result, most companies are amazing at producing applications in a speedy manner… by neglecting security from the start. Instead, they take on a “penetrate and patch” approach, hoping that this will save the day, should there be vulnerabilities in the code.
“Penetrate and patch” has quite a few limitations, among which :
- Developers can only patch issues they know about.
- Patches are often the results of market pressure, and often introduce new problems of their own.
- Patches usually only fixes the issues, but do not take a proper look at what is causing the problem.
- When looking at the end-user, patches are sometimes overlooked… A system admin which is overworked might not be so keen on applying a patch to a system that works.
This is still how lots and lots of companies operate, and part of the reasons why the state of IT security is so alarming.
What else can be done?
Know your enemy better than you know yourself.
As “Sun Tzu” said, “Know your enemy and know yourself and you can fight a hundred battles without disaster”.
We highly recommend companies to send some of their developers to hackers’ conferences. By doing so they will be able to understand how they think, how they act, what their motivations are, etc. By doing so, your developers will start to have a “security-first” mindset, which we help them code better.
All of our courses are presented in a way to achieve that goal as well, by providing our trainees with case-studies and live-hacking fun exercises. Our Java and Web Application course can be seen here.
Attend security conferences
Attending such conferences is a very good way of keeping up-to-date with best practices. Above all, those are a place where you can exchange with other devs, or security professionals on their success stories and set-backs.
Educate yourself, your team, your company!
The ultimate solution to make sure your developers are in great position to fulfill that key role in security, is simply to make sure they have the knowledge to do so. You may ask ten times a developer to make sure his piece of work cannot be hacked using Sequel Injection… if He does not know how to prevent it from happening, you might end up with an issue on our end.
Two types of learning methods are currently available. Online Learning (remote distance and/or CBT) and Onsite (F2F) learning.
While online learning presents some advantages (flexibility, easier roll-out when a lot of developers are concerned…), one can wonder how much knowledge really is retained by such a learning method.
On the other side, we have onsite live classroom, where trainees have a physical trainer in front of them, who presents them the knowledge and the challenges. Q&A is also happening live, and it is also easy for the trainer to validate understanding (or not) of the concepts taught.
Here below are some of the courses we have been providing companies with.
Comprehensive C# and .Net Application Security
Advanced JAVA and Web Application Security
Why educating software engineers in security?
It may happen that you do feel confident about your security practices… or that you have a security team in place. However, the odds are that they are likely to be overworked, and that makes it very hard to keep up with the latest hacking techniques and found vulnerabilities. That is why having a partner that will raise that security knowledge within your developing team will be of great help.
Stay Secure in 2017!