Application Security Lessons from Star Trek: How Kirk & Spock Can Inspire Secure Code - Part 2
August 24, 2016

Amit Ashbel
Checkmarx

At its emotional core, Star Trek explores the bond between two very different species – Kirk and Spock – who team up to seek out new worlds and defend the Enterprise. In many ways, the same can be said for developers and security teams. How so? In Part 1 of this blog, we covered Clear Visualization and Teamwork. Here are 2 more ways.

Start with Part 1

3. Gamification

Resistance is futile when it comes to adopting gamification. Gamification is considered the buzz in today's enterprises and startups alike. Wikipedia has a good description: "Gamification is the use of game thinking and game mechanics in non-game contexts to engage users in solving problems. Gamification is used in applications and processes to improve user engagement, return on investment, data quality, timeliness, and learning."
Gamification takes the teamwork enhancements described earlier to another level.

Gamification can be implemented as an exchange platform between developers, integrated into the developer's environments. In such a setup, each developer would be able to view the security solutions of others.

Developers could then flag particular solutions, similar to a Facebook "like", and even contribute to the general understanding of the nature of the particular vulnerability. Taking it further, it's even possible to reward the user who has been most beneficial to the team. For example, presenting rewards to developers who find the hidden risk, ways to break the code or written an impenetrable function. You can even call it your own in-house bug-bounty program.
A global social network is ideal for implementing such a security exchange platform. However, even simple existing forums, such as GitHub or StackExchange, can be used as they too reward developers for their contribution.

4. Immediate Feedback

"Kirk relied on Spock unfailingly for his advice, knowing it would never be encumbered by any thoughts of personal gain or tempered by emotional constraints," as stated by Time magazine.

The type of immediate feedback Spock is known for also has big benefit in a SAST scenario. We all draw lessons from our mistakes. Previously, a Quality Assessment (QA) was not performed until several months after the development cycle ends. Nowadays, in today's development environments, unit testing is de riguer and developers receive feedback on their code while it's still "fresh off the press".

Taking a look at SAST, we see that many companies employ the tools after the end of the development cycle, several months after the development of the code. Similar to QA processes, SAST should be integrated into the development and testing environments. While first-generation SAST tools provided an analysis too slow to fit into a Continuous Integration and Continuous Deployment environment, important functionality such as incremental analysis, seamless IDE integration and most importantly ease of use, solve this problem.

Live Long and Prosper

Application Security is built around the concept of ensuring that the code written for an application does what it was built to do, and keeps the contained data secure. Notwithstanding the high general interest in security, time and time again developers fail to integrate secure coding best practices. With these four tips, security teams can transfer that security spark to developers when it comes to writing code. In order for any security program to be properly implemented, it needs effective teamwork between developers and security teams.

Amit Ashbel is Director of Product Marketing & Cyber Security Evangelist at Checkmarx.

Share this

Industry News

May 16, 2024

Pegasystems announced the general availability of Pega Infinity ’24.1™.

May 16, 2024

Mend.io and Sysdig unveiled a joint solution to help developers, DevOps, and security teams accelerate secure software delivery from development to deployment.

May 16, 2024

GitLab announced new innovations in GitLab 17 to streamline how organizations build, test, secure, and deploy software.

May 16, 2024

Kobiton announced the beta release of mobile test management, a new feature within its test automation platform.

May 15, 2024

Gearset announced its new CI/CD solution, Long Term Projects in Pipelines.

May 15, 2024

Rafay Systems has extended the capabilities of its enterprise PaaS for modern infrastructure to support graphics processing unit- (GPU-) based workloads.

May 15, 2024

NodeScript, a free, low-code developer environment for workflow automation and API integration, is released by UBIO.

May 14, 2024

IBM announced IBM Test Accelerator for Z, a solution designed to revolutionize testing on IBM Z, a tool that expedites the shift-left approach, fostering smooth collaboration between z/OS developers and testers.

May 14, 2024

StreamNative launched Ursa, a Kafka-compatible data streaming engine built on top of lakehouse storage.

May 14, 2024

GitKraken acquired code health innovator, CodeSee.

May 13, 2024

ServiceNow introduced a new no‑code development studio and new automation capabilities to accelerate and scale digital transformation across the enterprise.

May 13, 2024

Security Innovation has added new skills assessments to its Base Camp training platform for software security training.

May 13, 2024

CAST introduced CAST Highlight Extensions Marketplace — an integrated marketplace for the software intelligence product where users can effortlessly browse and download a diverse range of extensions and plugins.

May 09, 2024

Red Hat and Elastic announced an expanded collaboration to deliver next-generation search experiences supporting retrieval augmented generation (RAG) patterns using Elasticsearch as a preferred vector database solution integrated on Red Hat OpenShift AI.

May 09, 2024

Traceable AI announced an Early Access Program for its new Generative AI API Security capabilities.