The ultimate safety blind spot you don’t know you have

How much time do developers actually spend writing code?

According to recent studies, developers spend more time maintaining, testing, and securing existing code than writing or improving code. Security vulnerabilities have a bad habit of appearing during the software development process, only to surface after an application is deployed. The disappointing part is that many of these security flaws and bugs could have been fixed at an earlier stage and there are proper methods and tools to find them.

How much time does a developer spend learning to write working code? And how much do we spend to learn about the security of the code? Or learn not to code?”

Wouldn’t it be better to eradicate the problem from the system than to have it there and then try to detect and stop an attack in progress targeting it?

You can test your secure coding skills with this short self evaluation.

The true cost of bugs

Everyone makes mistakes, even developers. Software bugs are inevitable and are accepted as the “cost of doing business” in this field.

That being said, any unfixed bug in the code is the lifeblood of attackers. If they can find at least one bug in a system that can be exploited in the right way (i.e. a software vulnerability), they can exploit that vulnerability to cause massive, potentially world-wide damage. tens of millions of dollars – as we see through high-profile cases that make headlines every year.

And even when it comes to less severe vulnerabilities, fixing them can be very expensive, especially if a weakness is introduced much earlier in the SDLC due to a design flaw or missing security requirement.

Why is the current approach to software security insufficient?

1 — Too much dependence on technology (and not enough on people)

Automation and cybersecurity tools are meant to reduce the workload of developers and application security personnel by scanning, detecting, and mitigating software vulnerabilities, however:

  • While these tools help with cybersecurity efforts, studies show that they can only uncover 45% of overall vulnerabilities.
  • They can also produce “false positives”, leading to worry, delays and unnecessary rework.
  • …or even worse, “false negatives”, creating an extremely dangerous false sense of security

2 — The DevSec logout

The DevSec disconnect refers to the well-known tension between development teams and security teams due to different (and often conflicting) priorities when it comes to new features and bug fixes.

Because of this friction, 48% of developers end up pushing vulnerable code into production on a regular basis. Vulnerabilities discovered later in the development cycle are often not mitigated or end up creating additional costs, delays and risks later. These are the consequences of short-term thinking: in the end, it would be better to fix the problem at the source than to spend time and resources looking for code flaws later in the software lifecycle. software development.

3 — Monitor your supply chain but not your own software

Another common mistake is to focus only on software supply chain security and only address known vulnerabilities in existing software products and packages listed in the famous Common Vulnerabilities and Exposures database or the National Vulnerability Database.

Addressing vulnerabilities in third-party components, your dependencies, or the operating environment is essential, but it won’t help you with vulnerabilities in your own code.

Likewise, monitoring for potential attacks through intrusion detection systems (IDS) or firewalls followed by incident response is a good idea – and is recognized by the OWASP Top 10 as a necessity. – but these activities only address the consequences of cyberattacks rather than the cause.

The Solution: Make Secure Coding a Team Sport

Your cybersecurity is only as strong as your weakest link. Software development is not an assembly line job and, despite all predictions, it won’t be fully automated any time soon. Programmers are creative problem solvers who have to make hundreds of decisions every day when writing code because software development is a type of skill.

Ultimately, whether or not a piece of code is secure depends on the skills of the individual developers.

Processes, standards, and tools can help foster and reinforce best practices, but if a developer is unaware of a particular type of bad practice, they may continue to make the same mistake (and introduce the same type of vulnerability into the code) over and over again.

6 Tips to Strengthen Secure Coding

The number of newly discovered vulnerabilities is increasing and the threats posed by malicious cyber actors are becoming increasingly sophisticated. Most organizations start implementing a secure development lifecycle after an incident, but if you ask us when you should start, the answer, of course, will always be the sooner the better.

Indeed, when it comes to critical vulnerabilities, even hours can mean the difference between no lasting damage and financial disaster.

Here are our top tips for doing just that:

1 — Left shift – extending the security perspective to the early stages of development

Relying on DevSecOps-style security tool automation is not enough on its own, you need to implement a real culture change. SAST, DAST, or Penetration Test is on the right in the SDLC; shift left towards the beginning of the software development lifecycle for more complete coverage.

2 — Take a secure approach to the development lifecycle

MS SDL or OWASP SAMM, for example, will provide a framework for your processes and act as a good starting point for your cybersecurity initiative.

3 — Cover your entire IT ecosystem

Third-party vulnerabilities pose a huge risk to your company’s cybersecurity, but your own developers can also introduce problems into the application. You need to be able to find and fix vulnerabilities on-premises, in the cloud, and in third-party environments.

4 — Moving from reaction to prevention

Add defensive coding concepts to your coding guidelines. Sturdiness is what you need. Good security is a matter of paranoia, after all.

5 – Mindset matters more than technology

Firewalls and IDSs alone will not protect your software against hackers; they simply deal with the consequences of already existing vulnerabilities. Attack the problem at its root: the mindset and personal responsibility of developers.

6 — Invest in secure code training

Look for one that covers a wide range of programming languages ​​and provides comprehensive coverage of industry-recognized secure coding standards, vulnerability databases, and types of critical software weaknesses. Hands-on lab exercises in developers’ native environments are a huge plus to get them up to speed quickly and fill in that pesky know-how.

Cydrill’s blended learning path provides proactive and effective secure coding training to developers at Fortune 500 companies around the world. By combining instructor-led training, e-learning, hands-on labs, and gamification, Cydrill provides a new and effective approach to learning to code safely.

Comments are closed.