Secure Code Warrior

Secure development should be AppSec’s immune system

As an application security professional, it’s your job to ensure the cyber safety of your organization’s applications. You’re not, however, responsible for writing the code the application runs on. Engineers within the development team are. So how do you make sure that they’re developing those systems with security in mind? 

As an application security professional, it’s your job to ensure the cyber safety of your organization’s applications. You’re not, however, responsible for writing the code the application runs on. Engineers within the development team are. So how do you make sure that they’re developing those systems with security in mind? 

Most likely you’re doing some or even all of the following: 

  • Reviewing all code for security flaws and reporting them back to the development team to fix. 
  • Enforcing a strict peer review process throughout your secure development lifecycle. 
  • Having regular application assessment/penetration tests done by internal or external security teams.
  • Implementing scanning tools to pick up on vulnerabilities.

These are great best practices, but they’re also expensive and similar to taking a round of antibiotics every time you get sick. Not only does that come with a high cost, it loses efficacy and can weaken your immune system over time. 

How do you go about actually ensuring the code that developers ship is written securely in the first place? 

Secure coding aside, first think about how people learn. Most of us are visual learners and we learn through doing. And yet secure code training is often provided as a ‘tick-the-box’ activity and is not relevant to a developer’s daily work. It’s designed to prove that developers have undergone security training often to comply with industry standards, and not for developers to actually retain that knowledge, let alone enjoy the learning process. 

Another way humans tend to learn is through our mistakes in the same way that our immune system does. T-Cells remember what sort of pathogens they have encountered and successfully eradicated in the past, so that they can protect against them in the future. This is exactly the role that developers should play in your secure SDLC. 

It’s unrealistic to expect them not to make mistakes, but you can prepare them in a way to be able to recognize coding patterns that will translate to security vulnerabilities in the future. 

This is also how a robust peer review process becomes so powerful. Just because one developer doesn’t notice a security flaw, does not mean that another won’t. And the better trained the development team is as a whole, the more likely vulnerabilities will be caught in their tracks and never make it to production. 

Software vulnerabilities are like pathogens

Software vulnerabilities are like pathogens in the sense that you have to remember them in order to fight them. With pathogens, our immune system often needs to be exposed multiple times before it remembers how to fight it in order to avoid severe sickness or worse. 

A successful cyber attack from vulnerable software can severely cripple or kill an organization. But if developers are introduced to software vulnerabilities first in a controlled environment, they can work to build immunity to the threats by increasing and regularly practicing their secure coding knowledge and skills. 

Expose developers to security flaws in a controlled environment

We can never fully protect ourselves from getting sick, but there are things we can do to boost our immune systems and stay as healthy as possible. Things like regular exercise, healthy eating, and plenty of sleep are amongst the lifestyle choices commonly associated with a strong immune system. But all of those things require a bit of effort and they must be continuous. Going on a jog every day for a week or giving up drinking for a month will barely make a dent in your overall health. It’s also not advisable to go out and run a 10k the first day we take up running. We first need to expose our hearts and muscles to the exercise. We also know that it takes a bit of experimenting until we find a good balance for our body and healthy foods and exercises that we love.

It’s not so different when it comes to secure software development. Learning happens over time and with practice, and developers need the same on-going training to regularly boost their secure coding skills. Not to mention, software development is always evolving and adapting, meaning the vulnerabilities are too. That’s why a simple training course is not enough. Developers need regular upskilling in order to be familiar enough with potential threats to be properly equipped to defend against them. 

Aim to achieve herd immunity within the development team

A single person can’t prevent any and all security issues. It’s great to have security champions on the team, but to get the best protection, the more people that have learned about security vulnerabilities and how to prevent them, the better chance your organization has in preventing them. Again it’s not much different than how the immune system has different types of T-Cells for different purposes. Every single developer is part of a team that ensures security. If they’re empowered to take responsibility, do it well, and even enjoy doing it, then you can create herd immunity against cyber threats within the development team as a result.

Photo by cottonbro from Pexels

Keep security top of mind with repeat exposure

Our brains learn in a similar way that our immune systems work. German psychologist Hermann Ebbinghaus was a pioneer in the field of memory and learning. He deduced that learning has to occur over time and with multiple learning sessions. When we’re in school, we’re never expected to maintain new knowledge after the first introduction. First the information is presented to us, then we practice it with guidance, and then we practice it on our own. And even after we have learned it well enough to pass an exam, the information tends to be forgotten shortly after if we don’t regularly use the knowledge we have spent the time and effort to learn. How many of us can claim we remember our high school French?

So how can we possibly believe that a single day of looking at slides and listening to someone talk about security would actually lead to those developers in attendance coding more securely?

Patterns of recurring vulnerabilities show us that this simply doesn’t work. 

How do you achieve secure development immunity?

The answer lies in our nature. Our bodies and minds work the same way and they provide beautiful solutions to problems, as long as we work with them and not against them. 

To ensure that your applications are secure, you need to start with upskilling developers to write secure code. Otherwise AppSec will continue to spend all of their time reviewing all code for security flaws and reporting the same recurring vulnerabilities back to development only to be quickly fixed with nothing learned. And then do it all over again for the next release.

So let’s reiterate.

If you work together with your development managers to do that, you’ll not only be implementing a secure SDLC and ticking the security training requirement for compliance box, you’ll be making a real-world impact on the development process. To put a cherry on top of it all, AppSec will no longer be encountering and reporting repeat vulnerabilities back to development teams and developers will spend less time fixing them. That means they can spend more time creating and improving the amazing software that makes our world better. 

Ready to upskill your development team? Go ahead and book a demo with us.