How much time do developers actually spend writing code?
According to recent studies, developers spend more time maintaining, testing, and securing existing code than they do writing or improving code. Security vulnerabilities have a bad habit of appearing during the software development process, only appearing after an application is deployed. The frustrating part is that many of these flaws and security flaws could have been fixed at an earlier stage and there are proper methods and tools to detect them.
How much time does a developer spend learning to write functional code? And how much is spent on learning about code security? Or learn how not to code?”
Wouldn’t it be better to eradicate the problem from the system instead of having it there and then trying to detect and stop an ongoing attack targeting it?
You can test your secure coding skills with this shortcut self-esteem.
The true cost of defects
Everyone makes mistakes, even developers. Software defects are inevitable and accepted as the “cost of doing business” in this field.
That said, any unfixed bugs in the code are the lifeblood of attackers. If they can find at least one flaw in a system that can be properly exploited (ie, a software vulnerability), they can use that vulnerability to cause massive damage, potentially on the order of tens of millions of dollars – as we See the well-publicized cases that make headlines every year.
And even for less serious vulnerabilities, fixing them can be very costly – especially if a vulnerability is introduced much earlier in the SDLC due to a design flaw or a missing security requirement.
Why is the current approach to software security failing?
1 – Too much reliance on technology (and not enough on people)
Automation and cybersecurity tools are supposed to reduce the workload for developers and application security staff by scanning, detecting and mitigating software vulnerabilities, however:
- While these tools contribute to cybersecurity efforts, studies show that they can only detect 45% of overall vulnerabilities
- They can also produce “false positives”, leading to inconvenience, delays and unnecessary rework
- …or even worse, “false negatives”, creating an extremely dangerous false sense of security
2 — Disconnecting DevSec
The DevSec disconnect refers to the well-known tension between developer teams and security teams due to different (and often conflicting) priorities when it comes to new features and bug fixes.
As a result of this friction, 48% of developers end up regularly pushing vulnerable code to production. Vulnerabilities discovered later in the development cycle are often not mitigated or end up creating additional costs, delays and further risks. These are the consequences of short-term thinking: after all, it would be better to fix the problem at source rather than spend time and resources finding code bugs later in the software development lifecycle.
3 — Monitor your supply chain, but not your software
Another common mistake is to focus only on software supply chain security and address only known vulnerabilities in existing software products and packages listed in the famous Common Vulnerabilities and Exposures database or the National Vulnerability.
Addressing any vulnerabilities in third-party components, your dependencies, or the operating environment is essential, but it won’t help you with vulnerabilities in your own code.
Similarly, monitoring potential attacks through intrusion detection systems (IDS) or firewalls followed by incident response is a good idea – and recognized by the OWASP Top 10 as a must – but these activities have deal only with the consequences of cyber attacks and not with the cause.
The solution: make secure coding a team sport
Your cyber security is only as strong as your weakest link. Software development is not an assembly-line job, and – despite all predictions – it won’t be fully automated anytime soon. Programmers are creative problem solvers who must make hundreds of decisions every day while writing code, because software development is a craft.
When it comes down to it, whether a piece of code is secure or not depends on the skills of individual developers.
Processes, standards, and tools can help drive and reinforce best practices, but if a developer doesn’t know about a particular type of bad practice, they’re likely to keep making the same mistake (and introduce the same type of vulnerability in the code) over and over again.
6 Tips for Empowering Secure Coding
The number of newly discovered vulnerabilities is increasing, and the threats posed by malicious cyber actors are constantly becoming more sophisticated. Most organizations start implementing a secure development cycle after an incident, but if you ask us when you should start, the answer, of course, will always be the sooner the better.
That’s because when it comes to critical vulnerabilities, even hours can mean the difference between no lasting damage and financial disaster.
Here are our top tips for doing just that:
1 — Shift left – expand the security perspective in the early stages of development
Relying on DevSecOps-style security tool automation alone is not enough, you need to implement real culture change. SAST, DAST or penetration testing is on the right in the SDLC; scroll left to the beginning of the software development life cycle for more complete coverage.
2 — Adopt a secure development lifecycle approach
MS SDL or OWASP SAMM for example will provide a framework for your processes and act as a good starting point for your cyber security initiative.
3 — Cover your entire IT ecosystem
Third-party vulnerabilities pose a major risk to your business’s cybersecurity, but your developers can also run into application issues. You must be able to detect and resolve vulnerabilities in on-premises, cloud, and third-party environments.
4 — Move from reaction to prevention
Add defensive programming concepts to your coding instruction. Persistence is what you need. Above all, good security is about paranoia.
5 — Mindset is more important than technology
Firewalls and IDSs won’t protect your software from hackers by themselves; they simply deal with the consequences of already existing vulnerabilities. Address the root of the problem: developer mindset and personal responsibility.
6 — Invest in secure code training
Look for one that covers a wide range of programming languages and provides thorough coverage of secure coding standards, vulnerability databases, and types of critical software vulnerabilities recognized by the industry. Hands-on lab exercises in developers’ native environments are a huge plus to get them up to speed quickly and bridge that pesky know-to-do gap.
Cydrill’s blended learning journey provides proactive and effective secure coding training to developers from Fortune 500 companies worldwide. Combining instructor-led training, e-learning, hands-on labs and gamification, Cydrill offers a new and effective approach to learning how to code securely.
