Developers will never be responsible for all of security in an organization, but if they keep up with best practices, resources, and find new ways to secure and deliver good code, they could play a key role in developing resilient software.
Today, most firms have a software security group (or SSG) or a product security group, and they are the team that is responsible for making software security happen. However, they work alongside developers to make sure they too are aware of security best practices, like how to write secure code and do threat modeling.
What this means is that developers are partially responsible for software security, and they should be, said Gary McGraw, vice president of security technology at Synopsys Software Integrity Group. Developers are not responsible for “the whole kahuna,” as he puts it.
“A lot of people want to blame development for all security issues, but it’s not the developers’ fault that no one ever taught them about security in their career, yet,” said McGraw. “ We need to all work together to address that problem.”
Free security resources for developers
In order to “work together,” as McGraw puts it, developers need to create software that is threat resilient and bug free. There are plenty of blogs and tools designed to help developers do this. SD Times’ cybersecurity sources suggest developers check out these free resources to get started with security best practices:
- Stack Overflow: Most developers know how valuable Stack Overflow is when it comes to getting quick answers. Use this site to keep tabs on Stack Overflow’s engineering team, listen to podcasts, and read stories from talented speakers.
- HYPR: HYPR is a biometric security company, and a broader, more community-centered iteration of its blog is coming soon. The company plans on having more content about software development best practices that are not necessarily HYPR product-focused, but developers can enjoy reading and sharing best practices they find on the blog.
- O’Reilly Security: O’Reilly organizes several conferences a year on things like software architecture, DevOps, and you guessed it: security. While the conference itself isn’t free, O’Reilly puts out free reports and resources for developers, like their Docker Security report and Big Data security report.
- Security StackExchange: According to CEO of biometric security company HYPR, George Avetisov, this is a great community where developers can collaborate and learn from other security experts.
- Wireshark: Network analysis tools are invaluable for double-checking TCP packets for mistakes, said Avetisov. Wireshark is a network protocol analyzer for Unix and Linux.
- Schneier on Security: Bruce Schneier, a “security guru,” is the author of 13 books, and his Crypto-Gram newsletter and blog are read by over 250,000 people. He’s even testified before Congress, so it’s safe to say developers can learn a thing or two about software from him.
- KrebsonSecurity: Brian Krebs, a reporter known for his stories in The Washington Post, became intensely interested in computer security after his whole home network was overrun by a Chinese hacking group. Check out his many blog posts and reports on security.
- reddit.com/r/netsec: This subreddit is a community for technical news and discussions on information security and related topics. “Trusted by CIA analysts everywhere!”
- OWASP: An open source project which is “the de-facto standard for whomever wants to include security in web application development,” said Dario Forte, CEO of DF Labs.
- BSIMM: Available under the Creative Commons, this free material addresses software security trends, it looks at the value of software security, and it looks at the industry changes surrounding security practices. Think of the BSIMM as a measuring stick for software security teams or security groups, said Synopsys’ McGraw.
- Troy Hunt: Troy Hunt writes a detailed security blog, he creates courses for Pluralsight, and he is a Microsoft Regional Director. He knows how to create and secure applications for the web with the security community. Also, he was partially responsible for shedding light on the recent CloudPets data breach.
- Ars Technica: Amit Ashbel, cybersecurity evangelist from Checkmarx, suggests developers keep tabs on the security reports from Ars Technica.
- MakeAWebsiteHub.com: MakeAWebsiteHub.com has a few great resources for developers looking to create secure websites. For instance, the site includes cheat sheets on HTML5, CSS, jQuery, and more.
- WebsiteSetup: This free guide created by web developer Robert Mening lets anyone make their own websites without having to learn how to code.
Besides these free resources, McGraw said there are three things developers need to consider when it comes to security. First, they need to do code review and utilize the available code review tools for security. He said if developers are writing code, they should have it reviewed automatically with a tool.
The second tip he suggests is to get a handle on the software architecture from a security perspective. There are two kinds of defects that lead to security problems: bugs in the code and flaws in the design. The way developers can review their software architecture is by analyzing architecture risk or do an analysis and threat modeling. All developers should try to do this, especially software architects, said McGraw.
The last thing he suggests is penetration testing, but this is number three on the list and not number one, said McGraw. Developers can hire a firm or they can use automated tools that are sort of like penetration tests. The idea is to intentionally attack your own code to see if it will break, he said.
Cloudflare’s CTO John Graham-Cumming said that developers should also pay attention to the code that they use. Most developers use other people’s code as part of whatever they are building, he said, and this is a common way he sees websites and apps being hacked. He said that roughly 80% of web applications have some piece of code out of date, and this is something that developers should really be wary of.
In addition to these tools and practices, developers can also consider the benefits of open source, said Graham-Cumming. Cloudflare utilizes open source, and he said the nice thing about it is developers can be aware of the problems and even fix it themselves.
Other considerations for developers comes from Dimitri Sirota, CEO of data protection and privacy company, BigID. He said developers should consider code scanners, since they can validate software against zero-day vulnerabilities and open-source patch levels. They also should think about good practices around storing and using sensitive data, and they should do some sort of commit review appropriate for agile, so new commits can be verified for data usage, he said.