Pieter Danhieux has an impressive background in cybersecurity. And he acknowledges that when it comes to building software, problems in the code lead to security issues. Yet he blames this problem not on the developers themselves, but on what he has seen as “a lot of things we’ve done wrong with developers.”
Organizations, he said, have given development teams tools they’re not familiar with and don’t know how to use. Further, developers are actually split over their role in security. While some have embraced secure coding practices, others still have not. “Developers say security is slowing me down,” said Danhieux, the CEO of Secure Code Warrior, a company that takes a holistic view of software security. “They just want to release new features as quickly as they can. The friction (developers have) with security teams still exists.”
Meanwhile, colleges and universities are not including safety and security as part of their software engineering curricula, This is leaving new developers entering the field ill-prepared to take on security issues that might be created while they are writing new code.
This certainly is not a new problem. For instance, the OWASP Top 10 list of software vulnerabilities was first published in 2003, and many of the items on that list – cross-site scripting and SQL injection, as two examples – remained there for many years, because developers didn’t understand the vulnerabilities and lacked the knowledge and skills to end these issues.
Danhieux recommended that developers take a single issue – SQL injection, for example – and learn how to eliminate that one thing. When that’s taken care of, move on to the next biggest issue, and eliminate that one. Before too long, the code will be more secure and developers will have the skills to stay on top of security.
Another aspect of modern software development that makes security so important is that more applications being written today are consumer-facing, where in the past much of the work was done largely on the back end, behind the scenes. “Software is in your house, in your car, in your watch,” Danhieux said. “It must not be vulnerable.” Some organizations, he pointed out, still take risks by pushing software live before they can certify it is secure, but in a few years, that won’t be an option because of where software is embedded, he said.
NIST – The U.S. National Institute of Standards and Technology – recently updated its Secure Software Development Framework (SSDF) to address security in the software supply chain, which are those open-source and third-party components developers rely on to complete their applications. The update outlines the need to produce well-secured software with minimal vulnerabilities upon release.
Yet, from the sheer amount of breaches reported each year, that is no easy task.
According to Danhieux, developers will be absolutely key in upholding those SSDF recommendations, but he also noted they’re often not set up for success in security, having had little to no exposure to secure coding best practices or security tooling. “Security programs must include comprehensive developer enablement and upskilling so they can tackle common vulnerabilities head-on, and share responsibility for upholding those best practice guidelines,” he said.
Danhieux emphasized the need for verified developer security skills from vendors supplying software to the government, “so it’s vital that they can build upon foundational learning that is practical and assessable,” he said.
To help developers get out in front of these issues, Secure Code Warrior provides learning and tooling for developers, including coding patterns that can help them avoid introducing vulnerabilities into their work, Danhieux said. The company’s platform, he added, uses gamification to bring those security skills to developers. “We’re not policing them,” he said.