Scademy’s Keynote on Application Security in Luxemburg
On September 27th, we were invited by our Luxemburg partner (Telindus) to perform a keynote as an opening for their “Smile Breakfast Event”, which had “Do it right at first” as main theme.
Cyber Security is an ongoing issue, and a growing problematic. We were then not surprised by the audience turnaround, and how engaged they got during the Q&A session. We kicked off the Keynote with an introduction to positive and negative security, and then moved on to a quick explanation of the Software Development Life cycle, bugs detection and fixes, and the costs associated to that. We then finished with slides on the current situation, and some notable hacks in the last three years. The presentation can be downloaded at the bottom of this post.
On top of the presentation, a lot was to be learned during the round table as well as the Q&A sessions.
We were accompanied by Anna, an infosec specialist from Lombard International Insurance as well as Tom, a Security consultant from Telindus.
The highlights of the round table were the following :
- Proactive security usually originates from a large project that requires top notch security.
- Top-Level management is usually very cautious when it comes to security budget, and prefer to invest the money later in the development life cycle.
- IF security by design as well as secure coding practices are put in place, defects are found earlier and in fewer quantity, which generates less hassle down the lane, and better ROI (see Slides)
- A major problem is to focus the efforts on pentesting towards the end of the SDLC… and then face a dilemma between fixing the bugs or go into production and accepts the risks.
- Security from the very beginning will make changes and/or updates a lot easier to make, the audits and/or pentests a lot less nerve-racking
- The importance of staying in control of your own code and libraries (quality assurance processes, pentesting on libraries, keeping long-term maintenance in mind,…)
- The importance of making developers feel responsible about their code and statuses can be obtained via training them. Training a part of your team to be security champions, and let them improve the skills of their co-workers have shown results, especially in the USA.
- Employee retention is seen as a problem when talking about employees training… Managers unwilling to train people who will leave in half a year after that. However, What happens if you do not train your developers, and they decide to stay in your company and write bad code?
Interesting questions were raised by the audience after the round table. A couple of those questions were the following :
- The 3rd party problem : A lot of companies outsource their development needs to third parties. How can they then keep security under control? How can they make sure that the third party has security at first in mind? How can they enforce security?Well… the first thing that comes to mind is to not leave out the “mother” company either! It is both their responsibility to ensure security by design and secure coding practices. In the case of a third party lacking the necessary skills… what should be done? To try and find another third party? Force them to take on the necessary education? Co-finance that education?…
- Using standards : Another interesting questions was how we can use Security standards to enforce security?We could speak from experience on that one. One of our latest project was to teach the engineering department of a company active in the travel and tourism industry. They needed us to educate their engineers on secure coding best practices in order for them to win a project requiring PCI-DSS (section 6 states that you need to be able to produce secure applications).
It does feel great to see more and more IT professionals convinced that security at first is the right way forward.However, there is still a long way to go. Chances are that YOU yourself are not part of that community.
Don’t be a stranger… Download the PDF and read it through. Share this article on your social networks, and let’s together further build this growing society of secure coders.