Application Security Lessons from Star Trek: How Kirk & Spock Can Inspire Secure Code - Part 2
August 24, 2016

Amit Ashbel
Checkmarx

At its emotional core, Star Trek explores the bond between two very different species – Kirk and Spock – who team up to seek out new worlds and defend the Enterprise. In many ways, the same can be said for developers and security teams. How so? In Part 1 of this blog, we covered Clear Visualization and Teamwork. Here are 2 more ways.

Start with Part 1

3. Gamification

Resistance is futile when it comes to adopting gamification. Gamification is considered the buzz in today's enterprises and startups alike. Wikipedia has a good description: "Gamification is the use of game thinking and game mechanics in non-game contexts to engage users in solving problems. Gamification is used in applications and processes to improve user engagement, return on investment, data quality, timeliness, and learning."
Gamification takes the teamwork enhancements described earlier to another level.

Gamification can be implemented as an exchange platform between developers, integrated into the developer's environments. In such a setup, each developer would be able to view the security solutions of others.

Developers could then flag particular solutions, similar to a Facebook "like", and even contribute to the general understanding of the nature of the particular vulnerability. Taking it further, it's even possible to reward the user who has been most beneficial to the team. For example, presenting rewards to developers who find the hidden risk, ways to break the code or written an impenetrable function. You can even call it your own in-house bug-bounty program.
A global social network is ideal for implementing such a security exchange platform. However, even simple existing forums, such as GitHub or StackExchange, can be used as they too reward developers for their contribution.

4. Immediate Feedback

"Kirk relied on Spock unfailingly for his advice, knowing it would never be encumbered by any thoughts of personal gain or tempered by emotional constraints," as stated by Time magazine.

The type of immediate feedback Spock is known for also has big benefit in a SAST scenario. We all draw lessons from our mistakes. Previously, a Quality Assessment (QA) was not performed until several months after the development cycle ends. Nowadays, in today's development environments, unit testing is de riguer and developers receive feedback on their code while it's still "fresh off the press".

Taking a look at SAST, we see that many companies employ the tools after the end of the development cycle, several months after the development of the code. Similar to QA processes, SAST should be integrated into the development and testing environments. While first-generation SAST tools provided an analysis too slow to fit into a Continuous Integration and Continuous Deployment environment, important functionality such as incremental analysis, seamless IDE integration and most importantly ease of use, solve this problem.

Live Long and Prosper

Application Security is built around the concept of ensuring that the code written for an application does what it was built to do, and keeps the contained data secure. Notwithstanding the high general interest in security, time and time again developers fail to integrate secure coding best practices. With these four tips, security teams can transfer that security spark to developers when it comes to writing code. In order for any security program to be properly implemented, it needs effective teamwork between developers and security teams.

Amit Ashbel is Director of Product Marketing & Cyber Security Evangelist at Checkmarx.

Share this

Industry News

November 24, 2020

Red Hat announced new capabilities and features for Red Hat OpenShift, the company's enterprise Kubernetes platform.

November 24, 2020

Sectigo released Chef, Jenkins, JetStack Cert-Manager, Puppet, and SaltStack integrations for its certificate management platform.

November 24, 2020

DataStax released K8ssandra, an open-source distribution of Apache Cassandra on Kubernetes.

November 23, 2020

Spectro Cloud has released a new, self-hosted version of its flagship product, Spectro Cloud.

November 23, 2020

GitLab completed integration of Peach Tech, a security software firm specializing in protocol fuzz testing and dynamic application security testing (DAST) API testing, and Fuzzit, a continuous fuzz testing solution providing coverage-guided testing.

November 23, 2020

Fugue announced the availability of its SaaS product in AWS Marketplace, further simplifying the process for Amazon Web Services customers to use Fugue to bring their environments into compliance quickly, demonstrate compliance at any time, and Shift Left on cloud security.

November 19, 2020

Rollbar announced AI-assisted workflows powered by its new automation-grade grouping engine.

November 19, 2020

Buildkite expanded its integration with GitHub and introduced a new onboarding experience.

November 19, 2020

Rancher Labs launched a new Partner Program for the OEM and embedded community.

November 18, 2020

Puppet announced its evolution to an integrated automation platform to enable key business initiatives such as scaling DevOps, risk reduction, policy as code, and evolving cloud strategies.

November 18, 2020

Adaptavist has joined the GitLab partner program as a Select partner.

November 18, 2020

Postman launched the beta version of public workspaces, a hub that makes it possible for both API producers and consumers to seamlessly communicate and collaborate in real time without team or organizational boundaries.

November 17, 2020

Red Hat introduced new capabilities for Red Hat Enterprise Linux and Red Hat OpenShift intended to help enterprises bring edge computing into hybrid cloud deployments.

November 17, 2020

Humio announced the availability of the Humio Operator.

November 17, 2020

Accurics announced that Terrascan, the open source static code analyzer that enables developers to build secure infrastructure as code (IaC), has been extended to support Helm and Kustomize.