Application Security Lessons from Star Trek: How Kirk & Spock Can Inspire Secure Code - Part 1
August 22, 2016

Amit Ashbel
Checkmarx

At its emotional core, Star Trek explores the bond between two very different species – Kirk and Spock – who team up to seek out new worlds and defend the Enterprise. In many ways, the same can be said for developers and security teams. How so?

Well, we live in a world where the software industry is boldly going where it hasn't gone before. Applications form the lifeline of any business today. But they are under attack more than ever before. Cybercrime has risen exponentially in recent years, exposing a wide range of vulnerabilities in web and mobile applications. According to Verizon's 2016 Data Breach Investigations Report, attacks on web applications accounted for over 40 percent of incidents resulting in a data breach, and were the single-biggest source of data loss.

Most of these security issues are caused due to poor coding practices, which lead to poor application code integrity. In other words, hackers are exploiting application-layer loopholes in poorly-coded applications to initiate their attacks.

As legions of fans indulge in the film's next installment, Star Trek Beyond, let's look at the Kirk/Spock-style teamwork that needs to happen between two different species -- app development and IT security professionals -- in order to achieve application security best practices, secure coding specifically, and safeguard our enterprises.

In the spirit of collaboration, here are 4 ways for security teams to get developers excited about creating secure code:

1. Clear visualization

Do you want to boldly go where no man has gone before? Say you're in Paris and you want to take the Metro from the Louvre to the Eiffel Tower. Lacking a map, but armed with the list of stations and the respective train lines that stop at that station, you'll mentally calculate the easiest or quickest route.

The old static application security testing (SAST) tools worked in a similar fashion. They presented the developers with a long list of flaws and left it to the developers to pinpoint the location of the vulnerability. The heavy active and time-consuming involvement of developers within the security process alienated them from the exact process already at such an early stage.

It does not need to be that way any longer. Today's advanced SAST solutions enable developers to actually visualize the flaw: the solutions highlight the path that lead to the vulnerability. This type of visualization provides developers with a quick reference that pinpoints the flaw. More so, it allows developers to visualize how fixing a certain part of the code eliminates all flaws caused by that particular buggy piece of code and reduces the number of mitigation points required thus reducing the developer's effort significantly.

Returning to our Paris Metro example, this is similar to having a map app which provides the tourist with an interactive map displaying the various routes from the Louvre to the Eiffel Tower – and highlighting the quickest one.

The use of visualization alleviates developers from the security burden. In a quick and efficient manner, developers are able to continue their code development while spending very little time on fixing security vulnerabilities however still understanding and learning from the experience.

2. Teamwork

When we look at the development process we can see that many times developers work as part of a team. However, when it comes to fixing bugs, developers tend to find themselves alone in the process and reach a point where they realize they've given it all they got, captain!

That should not be the case. In fact, teamwork can very much be part of the SAST process. Here are some examples of how teamwork can be enhanced within the secure development process:

■ Providing feedback on the quality of the repair. An important aspect of any learning process is measuring how well information is applied. When it comes to security, it is important to track the progress of the code quality over time. This can be done, for instance, by tracking the number of security flaws found from one code review to the next. This type of feedback from an early stage of the development lifecycle saves time, money and improves overall code quality.

■ Consulting between developers. This means providing the developers with an encouraging environment to openly discuss the issues they face. Consequently, peers can walk through security practices and learn from others' past experiences.

■ Establishing a shared knowledge base within the company. Sharing experiences, tips and best practices does not necessarily need to be by word-of-mouth or between small teams. Rather, knowledge should be shared, updated and maintained in a central searchable knowledge base.

For 2 more ways security teams can get developers excited about creating secure code, Read Part 2

Amit Ashbel is Director of Product Marketing & Cyber Security Evangelist at Checkmarx.

Share this

Industry News

July 13, 2020

Docker announced a collaboration with Amazon Web Services (AWS) to simplify the lives of developers by allowing them to focus on application development, streamlining the process of deploying and managing containers in AWS from their local development environment.

July 13, 2020

Perforce Software announced the release of a combined JRebel and XRebel plugin for the Eclipse IDE.

July 13, 2020

Spectro Cloud announced that its first product—Spectro Cloud—is now generally available.

July 09, 2020

ShiftLeft released a new version of NextGen Static Analysis (NG SAST), including new workflows, purpose-built for developers that significantly improve security, while enhancing productivity.

July 09, 2020

RunSafe Security announced a partnership with JFrog that will enable RunSafe to supercharge binary protections via a simple plugin that JFrog users can deploy within their Artifactory repositories and instantly protect binaries and containers.

July 09, 2020

LeanIX closed $80 million in Series D funding led by new investor Goldman Sachs Growth.

July 08, 2020

Afi.ai introduced Afi Data Platform, a cloud-based replication and resiliency service that helps to monitor, predict downtime and recover K8s applications.

July 08, 2020

D2iQ announced the release of Conductor, a new interactive learning platform that enables enterprises to access hands-on cloud native courses and training.

July 08, 2020

SUSE entered into a definitive agreement to acquire Rancher Labs.

July 07, 2020

Micro Focus announced AI-powered enhancements to the intelligent testing capabilities of the UFT Family, a unified set of solutions designed to reduce the overall complexity of automating the functional testing processes.

July 07, 2020

Push Technology announced the launch of a new Service API capability for Diffusion Cloud, Push’s Real-Time API Management Cloud Platform.

July 07, 2020

Lightrun exited stealth and announced $4M in seed funding for the first complete continuous debugging and observability platform for production applications.

July 01, 2020

JFrog announced the launch of ChartCenter, a free, security-focused central repository of Helm charts for the community.

July 01, 2020

Kong announced a significant upgrade to open source Kuma, Kuma 0.6, available today.

July 01, 2020

Compuware Corporation, a BMC company, announced new capabilities that further automate and integrate test data and test case execution, empowering IT teams to achieve high-performance application development quality, velocity and efficiency.