Application Security Lessons from Star Trek: How Kirk & Spock Can Inspire Secure Code - Part 2
August 24, 2016

Amit Ashbel
Checkmarx

At its emotional core, Star Trek explores the bond between two very different species – Kirk and Spock – who team up to seek out new worlds and defend the Enterprise. In many ways, the same can be said for developers and security teams. How so? In Part 1 of this blog, we covered Clear Visualization and Teamwork. Here are 2 more ways.

Start with Part 1

3. Gamification

Resistance is futile when it comes to adopting gamification. Gamification is considered the buzz in today's enterprises and startups alike. Wikipedia has a good description: "Gamification is the use of game thinking and game mechanics in non-game contexts to engage users in solving problems. Gamification is used in applications and processes to improve user engagement, return on investment, data quality, timeliness, and learning."
Gamification takes the teamwork enhancements described earlier to another level.

Gamification can be implemented as an exchange platform between developers, integrated into the developer's environments. In such a setup, each developer would be able to view the security solutions of others.

Developers could then flag particular solutions, similar to a Facebook "like", and even contribute to the general understanding of the nature of the particular vulnerability. Taking it further, it's even possible to reward the user who has been most beneficial to the team. For example, presenting rewards to developers who find the hidden risk, ways to break the code or written an impenetrable function. You can even call it your own in-house bug-bounty program.
A global social network is ideal for implementing such a security exchange platform. However, even simple existing forums, such as GitHub or StackExchange, can be used as they too reward developers for their contribution.

4. Immediate Feedback

"Kirk relied on Spock unfailingly for his advice, knowing it would never be encumbered by any thoughts of personal gain or tempered by emotional constraints," as stated by Time magazine.

The type of immediate feedback Spock is known for also has big benefit in a SAST scenario. We all draw lessons from our mistakes. Previously, a Quality Assessment (QA) was not performed until several months after the development cycle ends. Nowadays, in today's development environments, unit testing is de riguer and developers receive feedback on their code while it's still "fresh off the press".

Taking a look at SAST, we see that many companies employ the tools after the end of the development cycle, several months after the development of the code. Similar to QA processes, SAST should be integrated into the development and testing environments. While first-generation SAST tools provided an analysis too slow to fit into a Continuous Integration and Continuous Deployment environment, important functionality such as incremental analysis, seamless IDE integration and most importantly ease of use, solve this problem.

Live Long and Prosper

Application Security is built around the concept of ensuring that the code written for an application does what it was built to do, and keeps the contained data secure. Notwithstanding the high general interest in security, time and time again developers fail to integrate secure coding best practices. With these four tips, security teams can transfer that security spark to developers when it comes to writing code. In order for any security program to be properly implemented, it needs effective teamwork between developers and security teams.

Amit Ashbel is Director of Product Marketing & Cyber Security Evangelist at Checkmarx.

Share this

Industry News

July 13, 2020

Docker announced a collaboration with Amazon Web Services (AWS) to simplify the lives of developers by allowing them to focus on application development, streamlining the process of deploying and managing containers in AWS from their local development environment.

July 13, 2020

Perforce Software announced the release of a combined JRebel and XRebel plugin for the Eclipse IDE.

July 13, 2020

Spectro Cloud announced that its first product—Spectro Cloud—is now generally available.

July 09, 2020

ShiftLeft released a new version of NextGen Static Analysis (NG SAST), including new workflows, purpose-built for developers that significantly improve security, while enhancing productivity.

July 09, 2020

RunSafe Security announced a partnership with JFrog that will enable RunSafe to supercharge binary protections via a simple plugin that JFrog users can deploy within their Artifactory repositories and instantly protect binaries and containers.

July 09, 2020

LeanIX closed $80 million in Series D funding led by new investor Goldman Sachs Growth.

July 08, 2020

Afi.ai introduced Afi Data Platform, a cloud-based replication and resiliency service that helps to monitor, predict downtime and recover K8s applications.

July 08, 2020

D2iQ announced the release of Conductor, a new interactive learning platform that enables enterprises to access hands-on cloud native courses and training.

July 08, 2020

SUSE entered into a definitive agreement to acquire Rancher Labs.

July 07, 2020

Micro Focus announced AI-powered enhancements to the intelligent testing capabilities of the UFT Family, a unified set of solutions designed to reduce the overall complexity of automating the functional testing processes.

July 07, 2020

Push Technology announced the launch of a new Service API capability for Diffusion Cloud, Push’s Real-Time API Management Cloud Platform.

July 07, 2020

Lightrun exited stealth and announced $4M in seed funding for the first complete continuous debugging and observability platform for production applications.

July 01, 2020

JFrog announced the launch of ChartCenter, a free, security-focused central repository of Helm charts for the community.

July 01, 2020

Kong announced a significant upgrade to open source Kuma, Kuma 0.6, available today.

July 01, 2020

Compuware Corporation, a BMC company, announced new capabilities that further automate and integrate test data and test case execution, empowering IT teams to achieve high-performance application development quality, velocity and efficiency.