Don't Shift Left, Start Left: Why Developers Should Be the First Line of Defense
In a recent Security webinar, How You Can Turn Security Training and Awareness into Action, Pieter Danhieux, Co-Founder and CEO of Secure Code Warrior, says there are 111 billion lines of code written by an estimated 22 million developers every year. “Building code is like building a house. If you do everything well, you end up with a beautiful, modern and secure house,” says Danhieux.
Recent headlines, such as the Imperva data breach, have proven that not writing secure code in security applications can land enterprises in a similar situation. “We’re making the same vulnerabilities over and over again,” says Danhieux. “We’re in a situation where we know all the vulnerabilities out there, and we need to break out of that dangerous cycle of writing insecure codes.”
Danhieux attributes data breaches to three things:
- Society’s demand for software is growing faster than security knowledge distribution and skills.
- There is no emphasis on building a culture of security awareness.
- Many vulnerabilities (and their remedies) have existed for decades, but coders are still introducing them into modern software.
He says, “The current approach isn’t working…and it hasn’t for a long time.” However, one of the things enterprises need to address, he says, is that developers should be the first line of defense.
Current application security tools focus on moving from right to left in the Software Development Life Cycle (SDLC), notes Danhieux, which usually result in:
- Finding problems and pointing them out – a situation that pits security teams against developers.
- Detection and reaction (as in, finding vulnerabilities in the written code and reacting to fix them) is unproductive and far more costly than fixing insecure code in the beginning.
So what does it mean to start left, and why should your enterprise not shift left, but start left?
Starting left is thinking and acting with a secure code mindset, says Steve Allor, Director of the Americas, Secure Code Warrior. “Starting left is arming and enabling developers to write better and secure codes tomorrow.”
Traditionally, says Allor, the line of defense is:
- The application scanning threat is implemented in the SDLC where code has been architected, designed and written.
- It is then checked for a variety of risks or defects associated with security and other quality metrics to determine which ones are low-risk vs. high-risk, and which ones can be resolved before the software can be put into production.
This is time-consuming, and far more costly, says Allor. “Statistics show that developers continue to make the same mistakes because they do not know how to fix vulnerabilities,” he notes.
According to Secure Code Warrior, 85 percent of exploited vulnerabilities are attributed to just 10 known vulnerabilities. The Open Web Application Security Project (OWASP) Top 10 vulnerabilities enterprises face due to application security weaknesses are:
- Broken Authentication
- Sensitive Data Exposure
- XML External Entities
- Broken Access Control
- Security Misconfiguration
- Cross-Site Scripting
- Insecure Deserialization
- Using Components with Known Vulnerabilities
- Insufficient Logging & Monitoring
“The challenge is finding a way to enable the developer to learn how to avoid creating these vulnerabilities in a time and resource-constrained industry. That’s why it’s important to implement a security culture where developers are the first line of defense,” says Allor.
Why Developers Should Be the First Line of Defense
“We are in a world that gets more digital every day, which means more software is driving commerce, business transactions and everything we do. With that comes risk,” says Allor. “The organizations that have implemented security controls are trying to find vulnerabilities and trying to fix them.”
While attempting to find and fix vulnerabilities, enterprises are also trying to balance the competitive pressures to stay ahead of the marketplace and continuously innovate, he notes. “CTOs and CIOs are being pressured to release more functionality quickly in order for their enterprises to stay ahead of the competition in a digital landscape. Business slows down every time enterprises try to find and resolve the vulnerability while balancing risk.”
Overall, Allor says, if enterprises help developers write secure code from the start, they ultimately create the most time because they can release more software more quickly with fewer imperfections, leading to less rework and more time to balance competitive pressures. “Developers are able to effect and change the outcome of application security risk and profile within an enterprise when they are the first line of defense. They help enterprises create success in their digital strategy as they are able to create more secure software that is released more quickly.”
In combination with developers, there are many pillars enterprises should employ in their defense, Allor says. “Every enterprise should ensure every individual maintains a level of security awareness to ensure they are helping protect their own assets, as well as the assets they manage on behalf of the business.” Security awareness programs, notes Allor, include anti-phishing campaigns, strong password protection, building security policies and many more. “They are a critical component of de-risking an enterprise’s overall strategy.”
“A third of the cyber risk is a result of application security vulnerabilities. We know what the fixes and issues are for 80 to 90 percent of the vulnerabilities exploited. What the industry hasn’t improved yet is how to create a scalable way to teach developers how to avoid these mistakes, in a very hands-on, learn-as-you-go type of training that enables enterprises to move to a prevention-oriented posture,” says Allor.
Enter Secure Code Warrior. “Our approach is to mirror how a developer learns, which is through experiential learning. When you ask a developer how they learned to write their code, the answer is typically ‘on the job, from a friend or through experimentation.’ Being able to replicate that hands-on applied learning in their specific language and framework helps meet the developer in ways that they understand and helps them improve their code,” he says.
Secure Code Warrior focuses on delivering a Software as a Service (SaaS) platform that creates a hands-on, interactive language and framework to engage the developer in their learning process and enable an enterprise with the tools and modules they need to implement a continuous learning process, notes Allor. “Having a continuous learning program ultimately leads enterprises to drive and reinforce the techniques, so that developers become more familiar with these skills.”
“We have a training mode that engages the developer in a self-paced way to progressing their language and frameworks,” says Allor. “During the training, they are challenged with locating, identifying and fixing the vulnerabilities, thus creating exposure and security application awareness. It also helps them learn and understand the many ways to avoid these vulnerabilities. Developers learn that writing secure code is attainable, as well,” he says.
In addition, Secure Code Warrior has a tournament that enterprises can use to create incentives, recognitions and awards to make security fun, with a “backdrop of learning that helps developers flex the application security or secure coding ‘muscle’ throughout that tournament,” he says. “The tournament contains an assessment engine that allows enterprises to implement belting systems, as well. The assessment tool enables enterprises to verify if that individual is learning to a level of proficiency they need to compliment other metrics, such as the ultimate reduction and the number of vulnerabilities found in the overall scanning process in their applications.”
Overall, Secure Code Warrior tries to enable developers with a tangible and real way to experience and understand known vulnerabilities such as OWASP Top 10, to hone their skills “while allowing an enterprise to help lead and guide a security application culture,” says Allor. “It aids in reinforcing the importance of application security skills that help developers be the first line of defense and add value to the enterprise and the marketplace. Ultimately, enterprises achieve its goals to minimize risk, while continuing to drive and increase success in their digital strategy.”