Application Security Lessons from Star Trek: How Kirk & Spock Can Inspire Secure Code - Part 1
August 22, 2016

Amit Ashbel
Checkmarx

At its emotional core, Star Trek explores the bond between two very different species – Kirk and Spock – who team up to seek out new worlds and defend the Enterprise. In many ways, the same can be said for developers and security teams. How so?

Well, we live in a world where the software industry is boldly going where it hasn't gone before. Applications form the lifeline of any business today. But they are under attack more than ever before. Cybercrime has risen exponentially in recent years, exposing a wide range of vulnerabilities in web and mobile applications. According to Verizon's 2016 Data Breach Investigations Report, attacks on web applications accounted for over 40 percent of incidents resulting in a data breach, and were the single-biggest source of data loss.

Most of these security issues are caused due to poor coding practices, which lead to poor application code integrity. In other words, hackers are exploiting application-layer loopholes in poorly-coded applications to initiate their attacks.

As legions of fans indulge in the film's next installment, Star Trek Beyond, let's look at the Kirk/Spock-style teamwork that needs to happen between two different species -- app development and IT security professionals -- in order to achieve application security best practices, secure coding specifically, and safeguard our enterprises.

In the spirit of collaboration, here are 4 ways for security teams to get developers excited about creating secure code:

1. Clear visualization

Do you want to boldly go where no man has gone before? Say you're in Paris and you want to take the Metro from the Louvre to the Eiffel Tower. Lacking a map, but armed with the list of stations and the respective train lines that stop at that station, you'll mentally calculate the easiest or quickest route.

The old static application security testing (SAST) tools worked in a similar fashion. They presented the developers with a long list of flaws and left it to the developers to pinpoint the location of the vulnerability. The heavy active and time-consuming involvement of developers within the security process alienated them from the exact process already at such an early stage.

It does not need to be that way any longer. Today's advanced SAST solutions enable developers to actually visualize the flaw: the solutions highlight the path that lead to the vulnerability. This type of visualization provides developers with a quick reference that pinpoints the flaw. More so, it allows developers to visualize how fixing a certain part of the code eliminates all flaws caused by that particular buggy piece of code and reduces the number of mitigation points required thus reducing the developer's effort significantly.

Returning to our Paris Metro example, this is similar to having a map app which provides the tourist with an interactive map displaying the various routes from the Louvre to the Eiffel Tower – and highlighting the quickest one.

The use of visualization alleviates developers from the security burden. In a quick and efficient manner, developers are able to continue their code development while spending very little time on fixing security vulnerabilities however still understanding and learning from the experience.

2. Teamwork

When we look at the development process we can see that many times developers work as part of a team. However, when it comes to fixing bugs, developers tend to find themselves alone in the process and reach a point where they realize they've given it all they got, captain!

That should not be the case. In fact, teamwork can very much be part of the SAST process. Here are some examples of how teamwork can be enhanced within the secure development process:

■ Providing feedback on the quality of the repair. An important aspect of any learning process is measuring how well information is applied. When it comes to security, it is important to track the progress of the code quality over time. This can be done, for instance, by tracking the number of security flaws found from one code review to the next. This type of feedback from an early stage of the development lifecycle saves time, money and improves overall code quality.

■ Consulting between developers. This means providing the developers with an encouraging environment to openly discuss the issues they face. Consequently, peers can walk through security practices and learn from others' past experiences.

■ Establishing a shared knowledge base within the company. Sharing experiences, tips and best practices does not necessarily need to be by word-of-mouth or between small teams. Rather, knowledge should be shared, updated and maintained in a central searchable knowledge base.

For 2 more ways security teams can get developers excited about creating secure code, Read Part 2

Amit Ashbel is Director of Product Marketing & Cyber Security Evangelist at Checkmarx.

Share this

Industry News

May 17, 2022

DevOps Institute, a global professional association for advancing the human elements of DevOps, announced the release of the Upskilling IT 2022 report.

May 17, 2022

Replicated announced a host of new platform features and capabilities that enable their customers to accelerate enterprise adoption of their Kubernetes applications.

May 17, 2022

Codefresh announced that its flagship continuous delivery (CD) platform will be made accessible as a fully-hosted solution for DevOps teams seeking to quickly and easily achieve frictionless, GitOps-based continuous software delivery in the cloud.

May 16, 2022

Red Hat announced new capabilities and enhancements across its portfolio of open hybrid cloud solutions aimed at accelerating enterprise adoption of edge compute architectures through the Red Hat Edge initiative.

May 16, 2022

D2iQ announced a partnership with GitLab.

May 16, 2022

Kasten by Veeam announced the new Kasten by Veeam K10 V5.0 Kubernetes data management platform.

May 12, 2022

Red Hat introduced Red Hat Enterprise Linux 9, the Linux operating system designed to drive more consistent innovation across the open hybrid cloud, from bare metal servers to cloud providers and the farthest edge of enterprise networks.

May 12, 2022

Couchbase announced version 7.1 of Couchbase Server.

May 12, 2022

Copado added Copado Robotic Testing to Copado Essentials.

May 11, 2022

Red Hat announced new advancements within its Red Hat Cloud Services portfolio, delivering a fully-managed and streamlined user experience as organizations build, deploy, manage and scale cloud-native applications across hybrid environments.

May 11, 2022

JFrog introduced a new Docker Desktop Extension for JFrog Xray that allows organizations to automatically scan Docker Containers for vulnerabilities and violations early in the development process.

May 11, 2022

Progress announced a series of updates in Progress Telerik and Progress Kendo UI.

May 11, 2022

Vultr announces that Vultr Kubernetes Engine (VKE) is generally available.

May 10, 2022

Docker announced new features and partnerships to increase developer productivity. Specifically, the company announced Docker Extensions which allow developers to discover and add complementary development tools to Docker Desktop.

May 10, 2022

Red Hat announced the general availability of Red Hat Ansible Automation Platform on Microsoft Azure, pairing hybrid cloud automation with the convenience and support of a managed offering.