At its emotional core, Star Trek explores the bond between two very different species – Kirk and Spock – who team up to seek out new worlds and defend the Enterprise. In many ways, the same can be said for developers and security teams. How so?
Well, we live in a world where the software industry is boldly going where it hasn't gone before. Applications form the lifeline of any business today. But they are under attack more than ever before. Cybercrime has risen exponentially in recent years, exposing a wide range of vulnerabilities in web and mobile applications. According to Verizon's 2016 Data Breach Investigations Report, attacks on web applications accounted for over 40 percent of incidents resulting in a data breach, and were the single-biggest source of data loss.
Most of these security issues are caused due to poor coding practices, which lead to poor application code integrity. In other words, hackers are exploiting application-layer loopholes in poorly-coded applications to initiate their attacks.
As legions of fans indulge in the film's next installment, Star Trek Beyond, let's look at the Kirk/Spock-style teamwork that needs to happen between two different species -- app development and IT security professionals -- in order to achieve application security best practices, secure coding specifically, and safeguard our enterprises.
In the spirit of collaboration, here are 4 ways for security teams to get developers excited about creating secure code:
1. Clear visualization
Do you want to boldly go where no man has gone before? Say you're in Paris and you want to take the Metro from the Louvre to the Eiffel Tower. Lacking a map, but armed with the list of stations and the respective train lines that stop at that station, you'll mentally calculate the easiest or quickest route.
The old static application security testing (SAST) tools worked in a similar fashion. They presented the developers with a long list of flaws and left it to the developers to pinpoint the location of the vulnerability. The heavy active and time-consuming involvement of developers within the security process alienated them from the exact process already at such an early stage.
It does not need to be that way any longer. Today's advanced SAST solutions enable developers to actually visualize the flaw: the solutions highlight the path that lead to the vulnerability. This type of visualization provides developers with a quick reference that pinpoints the flaw. More so, it allows developers to visualize how fixing a certain part of the code eliminates all flaws caused by that particular buggy piece of code and reduces the number of mitigation points required thus reducing the developer's effort significantly.
Returning to our Paris Metro example, this is similar to having a map app which provides the tourist with an interactive map displaying the various routes from the Louvre to the Eiffel Tower – and highlighting the quickest one.
The use of visualization alleviates developers from the security burden. In a quick and efficient manner, developers are able to continue their code development while spending very little time on fixing security vulnerabilities however still understanding and learning from the experience.
When we look at the development process we can see that many times developers work as part of a team. However, when it comes to fixing bugs, developers tend to find themselves alone in the process and reach a point where they realize they've given it all they got, captain!
That should not be the case. In fact, teamwork can very much be part of the SAST process. Here are some examples of how teamwork can be enhanced within the secure development process:
■ Providing feedback on the quality of the repair. An important aspect of any learning process is measuring how well information is applied. When it comes to security, it is important to track the progress of the code quality over time. This can be done, for instance, by tracking the number of security flaws found from one code review to the next. This type of feedback from an early stage of the development lifecycle saves time, money and improves overall code quality.
■ Consulting between developers. This means providing the developers with an encouraging environment to openly discuss the issues they face. Consequently, peers can walk through security practices and learn from others' past experiences.
■ Establishing a shared knowledge base within the company. Sharing experiences, tips and best practices does not necessarily need to be by word-of-mouth or between small teams. Rather, knowledge should be shared, updated and maintained in a central searchable knowledge base.
For 2 more ways security teams can get developers excited about creating secure code, Read Part 2
Amit Ashbel is Director of Product Marketing & Cyber Security Evangelist at Checkmarx.