Application Security Lessons from Star Trek: How Kirk & Spock Can Inspire Secure Code - Part 1
August 22, 2016

Amit Ashbel
Checkmarx

At its emotional core, Star Trek explores the bond between two very different species – Kirk and Spock – who team up to seek out new worlds and defend the Enterprise. In many ways, the same can be said for developers and security teams. How so?

Well, we live in a world where the software industry is boldly going where it hasn't gone before. Applications form the lifeline of any business today. But they are under attack more than ever before. Cybercrime has risen exponentially in recent years, exposing a wide range of vulnerabilities in web and mobile applications. According to Verizon's 2016 Data Breach Investigations Report, attacks on web applications accounted for over 40 percent of incidents resulting in a data breach, and were the single-biggest source of data loss.

Most of these security issues are caused due to poor coding practices, which lead to poor application code integrity. In other words, hackers are exploiting application-layer loopholes in poorly-coded applications to initiate their attacks.

As legions of fans indulge in the film's next installment, Star Trek Beyond, let's look at the Kirk/Spock-style teamwork that needs to happen between two different species -- app development and IT security professionals -- in order to achieve application security best practices, secure coding specifically, and safeguard our enterprises.

In the spirit of collaboration, here are 4 ways for security teams to get developers excited about creating secure code:

1. Clear visualization

Do you want to boldly go where no man has gone before? Say you're in Paris and you want to take the Metro from the Louvre to the Eiffel Tower. Lacking a map, but armed with the list of stations and the respective train lines that stop at that station, you'll mentally calculate the easiest or quickest route.

The old static application security testing (SAST) tools worked in a similar fashion. They presented the developers with a long list of flaws and left it to the developers to pinpoint the location of the vulnerability. The heavy active and time-consuming involvement of developers within the security process alienated them from the exact process already at such an early stage.

It does not need to be that way any longer. Today's advanced SAST solutions enable developers to actually visualize the flaw: the solutions highlight the path that lead to the vulnerability. This type of visualization provides developers with a quick reference that pinpoints the flaw. More so, it allows developers to visualize how fixing a certain part of the code eliminates all flaws caused by that particular buggy piece of code and reduces the number of mitigation points required thus reducing the developer's effort significantly.

Returning to our Paris Metro example, this is similar to having a map app which provides the tourist with an interactive map displaying the various routes from the Louvre to the Eiffel Tower – and highlighting the quickest one.

The use of visualization alleviates developers from the security burden. In a quick and efficient manner, developers are able to continue their code development while spending very little time on fixing security vulnerabilities however still understanding and learning from the experience.

2. Teamwork

When we look at the development process we can see that many times developers work as part of a team. However, when it comes to fixing bugs, developers tend to find themselves alone in the process and reach a point where they realize they've given it all they got, captain!

That should not be the case. In fact, teamwork can very much be part of the SAST process. Here are some examples of how teamwork can be enhanced within the secure development process:

■ Providing feedback on the quality of the repair. An important aspect of any learning process is measuring how well information is applied. When it comes to security, it is important to track the progress of the code quality over time. This can be done, for instance, by tracking the number of security flaws found from one code review to the next. This type of feedback from an early stage of the development lifecycle saves time, money and improves overall code quality.

■ Consulting between developers. This means providing the developers with an encouraging environment to openly discuss the issues they face. Consequently, peers can walk through security practices and learn from others' past experiences.

■ Establishing a shared knowledge base within the company. Sharing experiences, tips and best practices does not necessarily need to be by word-of-mouth or between small teams. Rather, knowledge should be shared, updated and maintained in a central searchable knowledge base.

For 2 more ways security teams can get developers excited about creating secure code, Read Part 2

Amit Ashbel is Director of Product Marketing & Cyber Security Evangelist at Checkmarx.

Share this

Industry News

November 24, 2020

Red Hat announced new capabilities and features for Red Hat OpenShift, the company's enterprise Kubernetes platform.

November 24, 2020

Sectigo released Chef, Jenkins, JetStack Cert-Manager, Puppet, and SaltStack integrations for its certificate management platform.

November 24, 2020

DataStax released K8ssandra, an open-source distribution of Apache Cassandra on Kubernetes.

November 23, 2020

Spectro Cloud has released a new, self-hosted version of its flagship product, Spectro Cloud.

November 23, 2020

GitLab completed integration of Peach Tech, a security software firm specializing in protocol fuzz testing and dynamic application security testing (DAST) API testing, and Fuzzit, a continuous fuzz testing solution providing coverage-guided testing.

November 23, 2020

Fugue announced the availability of its SaaS product in AWS Marketplace, further simplifying the process for Amazon Web Services customers to use Fugue to bring their environments into compliance quickly, demonstrate compliance at any time, and Shift Left on cloud security.

November 19, 2020

Rollbar announced AI-assisted workflows powered by its new automation-grade grouping engine.

November 19, 2020

Buildkite expanded its integration with GitHub and introduced a new onboarding experience.

November 19, 2020

Rancher Labs launched a new Partner Program for the OEM and embedded community.

November 18, 2020

Puppet announced its evolution to an integrated automation platform to enable key business initiatives such as scaling DevOps, risk reduction, policy as code, and evolving cloud strategies.

November 18, 2020

Adaptavist has joined the GitLab partner program as a Select partner.

November 18, 2020

Postman launched the beta version of public workspaces, a hub that makes it possible for both API producers and consumers to seamlessly communicate and collaborate in real time without team or organizational boundaries.

November 17, 2020

Red Hat introduced new capabilities for Red Hat Enterprise Linux and Red Hat OpenShift intended to help enterprises bring edge computing into hybrid cloud deployments.

November 17, 2020

Humio announced the availability of the Humio Operator.

November 17, 2020

Accurics announced that Terrascan, the open source static code analyzer that enables developers to build secure infrastructure as code (IaC), has been extended to support Helm and Kustomize.