Accelerated digital transformation efforts over the past two years have undoubtedly helped organisations survive the impact of a global pandemic. Whether it was the implementation of collaboration platforms, a shift to the cloud, or the move to flexible working practices, businesses have never had to move as rapidly to implement new ways of working.
To support these increased digital transformation efforts though, developers have been forced to innovate faster than ever before. In fact, 38% of developers are releasing software monthly, or faster.
This breakneck pace, combined with an increased reliance on cloud environments and resources, has made it extremely easy for a minor developer mistakes to turn into a major security risk. It’s a trend cybercriminals are taking notice of, as witnessed through major security incidents affecting the likes of SolarWinds and Microsoft Exchange.
At a time where developers couldn’t be more essential to maintaining business continuity, what are the potential missteps they, and businesses leaders, need to be aware of avoiding if they’re to maintain the security of their applications?
Coding errors
Coding errors, or bugs, are often a result of mistakes or weaknesses made by developers when writing code. While mistakes may be inevitable, these weaknesses are often a result of poor coding behaviours or characteristics of various coding languages.
It’s an issue exacerbated by the fact developers are traditionally measured on a functional basis i.e. delivering features on time, rather than important security-focused deliverables, such as creating secure code which is free of errors. As a result, application security (AppSec) just isn’t front of mind for developers.
Third-party vulnerabilities
The adoption of open-source components by software development teams saw a dramatic shift in the way developers worked. Instead of having to build software from scratch, they were able to use open-source components to provide common or repetitive features and functionalities. This freed up developers’ time, allowing them to focus more on key differentiators.
While the adoption of open-source has fuelled the software development space, it is still proving to be a big security risk for businesses. Open-source software is still very much exposed to code errors and vulnerabilities, and the developers using third-party code aren’t doing enough to ensure what they utilising is bug free.
Developer burnout
While it may not seem like a step towards stronger AppSec, it’s important to note the implications these increased digital transformation efforts have had on the mental and physical health of developers.
As developers find themselves in a cycle of aggressive productivity, business leaders need to be aware of the tell-tale signs of burnout – missing key deadlines, a lack of motivation and careless mistakes. The side effects of this are not only negatively impacting the developers themselves, but are also leaving organisations more likely to experience elevated security risks though insecure code as a result.
The solution?
There are a number of best practice initiatives which organisations need to take to ensure their developers not only have AppSec top of mind when developing and using code, but are also fully supported in the fight against the threat actors looking to take advantage of coding errors.
- Increased AppSec training
It’s vital for organisations to ensure that secure coding training and education for developers is ramped up. When executed effectively, these initiatives can have a lasting impact by proving DevOps teams the knowledge and tools to become more aware of common security issues. Empowering teams through training to remediate problems in a timely manner will prevent flaws from becoming larger issues, whether it’s within their own code or open-source.
To break through and make a real impression on developers, however, this training needs to be bitesize and gamified. Traditional training methods are no longer good enough to ensure engagement, and so short, fun training sessions which can fit in to the day-to-day routine of developers is key.
- Sharing security responsibility
There is a common misconception that security only falls to the IT teams, and AppSec is solely the responsibility of developers. However, considering the evolving threat landscape we find ourselves in today, this simply isn’t the case.
Instead, there needs to be total alignment between DevOps and security teams (as well as business leaders) to create a comprehensive security strategy. It’s also imperative that this is led from the top, with leadership teams fully on board with, and responsible for, AppSec success.
- Automate, automate, automate
Organisations are automating key functions across their business in an attempt to help make the day-to-day jobs of their workers easier; this is the same for developers. In fact, some of the key functions of a developer’s role and the AST tools they use are being automated to make security more simple. By providing the right automation tools, businesses can empower their DevOps teams to find and fix flaws without compromising speedy and security.
Final thoughts
Businesses will never be fully protected from cyber threats, especially as threat actors continue to evolve their tactics, techniques and procedures at an accelerated rate. Despite this, by adopting the aforementioned initiatives, organisations and developers can put their best foot forward in the fight against cybercrime keeping themselves, and their code, as secure as possible.
Maty Siman, CTO at Checkmarx
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.