Developers: No Longer the Hackers’ Allies

Developers: No Longer the Hackers’ Allies

o one who works in IT today can escape the carnage wreaked by hackers. Worms and other exploits are increasingly designed to target specific vulnerabilities in software ranging from operating systems to business applications?and for that reason, attention is increasingly focused on the development community. The industry is starting to ask itself how it can build more secure software.

It’s true that perimeter security has gotten better and there’s been a flurry of new legislation and better-trained law enforcement at all levels. These have combined to make success quite a bit harder for hackers. But the real threat looming for the hacker community is that their most valuable, and usually unwitting, ally is now poised to become their greatest adversary. You see, until now, hackers have relied on the security ignorance of developers to succeed. But trends are showing that the people who make software are starting to fight back.

The Good Old Days
Traditionally, information security professionals and application developers have been uneasy bedfellows. In years past, security staff generally approached developers as they would any other IT user, emphasizing well intentioned but outdated practices for securing network perimeters and enforcing authentication credentials.

During my tenure as a development manager, I worked at one company whose approach to security entailed a quarterly meeting with the CISO and a 50+ page Word document he created describing “the information security policies that you and your team are expected to comply with henceforth”?but not much else. Thumbing through the documents, I found policies on password lengths and firewall settings, but nothing to do with the code my team was developing. He wanted us to be concerned about security, but no one could accurately express what that meant to us as developers. It was a step in the right direction, but it had no impact on application security.

This inability to provide the context for security in meaningful development terms?helping the security people and developers understand one another?is what has eluded us up to this point and why software is so easy to attack.

This rush toward a ship date while preserving crucial features leaves little room for ensuring application security. Only today are organizations beginning to address this inherent mismatch in priorities and get the development workgroup and their security colleagues working in tandem.
In years past, security professionals treated applications with an after-the-fact approach. They envisioned a world in which security could be “bolted on” to applications after they were completed, but before they were deployed. This approach unraveled as soon as it was understood that applications, especially those that sat behind a firewall but interacted with legacy applications or the Internet, contained vulnerabilities that couldn’t be discovered until applications were deployed and live. At best, it annoyed developers who needed to make changes in what they considered to be sound code. At worst, it left enterprises open to attack on a number of fronts.

Meanwhile, within developer workgroups, no changes were made to ensure that the priorities of those who write software mapped to the priorities of information security staff. Traditionally, developers are judged against two metrics: feature sets and ship dates. This rush toward a ship date while preserving crucial features leaves little room for ensuring application security. Only today are organizations beginning to address this inherent mismatch in priorities and get the development workgroup and their security colleagues working in tandem.

Common Goals and New Approaches
The crucial first step is for security staff and developers to realize that they share a common goal of securing information from those who would like to harm us. The number and financial consequences of enterprise security breaches, including those enabled by application vulnerabilities, are making news almost daily. The sheer impact in terms of lost revenue and reputation makes it a problem bigger than either party has dealt with in the past.

Organizationally, new roles have emerged to build a bridge between developers and security staff. As titles like Software Security Architect become more common, security policy has been emphasized in terms that make sense to developers. Software Security Architects have introduced technologies such as penetration testing to the quality assurance process, and are making sure that developers receive meaningful training in security policy and best coding practices. In addition, Software Security Architects can articulate the ways in which vulnerabilities make their way into applications.

Organizations can also train staff on the different points in the development timeline when processes can introduce vulnerabilities that are not the fault of any individual developer. For example, Developer A and Developer B could write two independently flawless modules within one application, but depending on the code, vulnerabilities could develop as a result of integrating these pieces during nightly builds. Similarly, a development team could scrub that vulnerability out of a nightly build, only to find that a new one is discovered during the QA process. Development managers have also become aware of the danger created when, say, an application coded in C++ interacts with a Java application to create a vulnerability not found in either stand-alone application. Lastly, developers are beginning to understand how applications that call on legacy, pre-Internet applications, written before the days of firewalls, can create data paths that are crucial attack vectors for hackers.

New technologies are easing developers’ burdens regarding security. In particular, source code analysis and attack simulation have emerged as powerful tools for development managers. Source code analysis tools validate snapshots of code against a set of secure coding rules while attack simulation adds targeted hacking techniques to an existing QA regression test. If vulnerabilities are detected, the tools report the violation, along with a suggested remedy. Detecting such problems significantly reduces the cost of fixing software defects.

The added advantage is ensuring quality, efficient code with fewer performance bottlenecks. This is not a panacea, however. These techniques are only as effective as the last time they are performed and the coding rules enforced. Successfully deploying these tools requires careful consideration of exactly where and when they should be run within the software development process; otherwise they can provide a false sense of security and slow down development.

Bridging the Gap
It’s clear that unless developers become security professionals themselves, there will be a gap to be bridged. The key to solving this problem is to understand that securing applications does not require any disruption to well-entrenched development practices. As soon as development teams embrace that they can have a major impact on overall security through relatively small adjustments to what they are already doing in the design, coding, and testing phases, the largest hurdle has been overcome. The introduction of automation into application security allows organizations to marry security and development without disruption, and enforce policy without delaying deployment.

Automation is a powerful tool for identifying security issues hidden within the context of a large system. Automated tools allow the security team to verify the output of a development team. Even more important is that automation can be applied while lines of code are being written, so that there are many fewer issues to be resolved in nightly builds and during QA.

As soon as development teams embrace that they can have a major impact on overall security through relatively small adjustments to what they are already doing in the design, coding, and testing phases, the largest hurdle has been overcome.
Automated security tools can validate code, line-by-line, as it’s entered on a development desktop. They can detect the use of vulnerable functions and procedures and point out the exact location of a potential vulnerability. They suggest alternate, secure functions or procedures to allow development to continue and provide on-the-job training on how to avoid a similar mistake in the future. The best analysis tools don’t simply highlight vulnerability; they explain how the vulnerability came to be.

In the same way, automated data flow analysis can detect paths of potentially dangerous data before the data has the chance to move through an application. In addition, these tools can accurately track sequencing of operations to detect improper coding constructs; again with the effect of efficient code as well as secure code.

The benefits of automated code analysis extend well beyond the desktop. The same approach can be used to track, analyze, and rectify flaws not found until after a code build has completed. Run-time analysis can categorize and prioritize code security issues. It can also point to specific lines of code to pinpoint possible vulnerabilities, and trace tainted data back to its source so that a fix can be applied.

Automation can also improve security once a release candidate has been completed. Automated tools can probe, observe and attack applications pre-deployment with a fraction of the time and effort it takes even sophisticated attackers. It can also monitor and track progress in a consistent manner?detailing the places your team has exercised while exposing untouched areas of your application.

At the end of the day, automation cannot take the place of secure coding practices and policy. However, the marriage of policy, best practices, and automation offer the best chance for the development community and their security colleagues to achieve their common goal?a world of secure applications.

Editor’s Note: The author, Roger Thornton, is the cofounder and CTO of Fortify Software, a vendor of security solutions including automated source code analysis. We have selected this article for publication because we believe it to have objective merit.

devx-admin

devx-admin

Share the Post:
Clean Energy Adoption

Inside Michigan’s Clean Energy Revolution

Democratic state legislators in Michigan continue to discuss and debate clean energy legislation in the hopes of establishing a comprehensive clean energy strategy for the

Chips Act Revolution

European Chips Act: What is it?

In response to the intensifying worldwide technology competition, Europe has unveiled the long-awaited European Chips Act. This daring legislative proposal aims to fortify Europe’s semiconductor

Revolutionized Low-Code

You Should Use Low-Code Platforms for Apps

As the demand for rapid software development increases, low-code platforms have emerged as a popular choice among developers for their ability to build applications with

Global Layoffs

Tech Layoffs Are Getting Worse Globally

Since the start of 2023, the global technology sector has experienced a significant rise in layoffs, with over 236,000 workers being let go by 1,019

Clean Energy Adoption

Inside Michigan’s Clean Energy Revolution

Democratic state legislators in Michigan continue to discuss and debate clean energy legislation in the hopes of establishing a comprehensive clean energy strategy for the state. A Senate committee meeting

Chips Act Revolution

European Chips Act: What is it?

In response to the intensifying worldwide technology competition, Europe has unveiled the long-awaited European Chips Act. This daring legislative proposal aims to fortify Europe’s semiconductor supply chain and enhance its

Revolutionized Low-Code

You Should Use Low-Code Platforms for Apps

As the demand for rapid software development increases, low-code platforms have emerged as a popular choice among developers for their ability to build applications with minimal coding. These platforms not

Cybersecurity Strategy

Five Powerful Strategies to Bolster Your Cybersecurity

In today’s increasingly digital landscape, businesses of all sizes must prioritize cyber security measures to defend against potential dangers. Cyber security professionals suggest five simple technological strategies to help companies

Global Layoffs

Tech Layoffs Are Getting Worse Globally

Since the start of 2023, the global technology sector has experienced a significant rise in layoffs, with over 236,000 workers being let go by 1,019 tech firms, as per data

Huawei Electric Dazzle

Huawei Dazzles with Electric Vehicles and Wireless Earbuds

During a prominent unveiling event, Huawei, the Chinese telecommunications powerhouse, kept quiet about its enigmatic new 5G phone and alleged cutting-edge chip development. Instead, Huawei astounded the audience by presenting

Cybersecurity Banking Revolution

Digital Banking Needs Cybersecurity

The banking, financial, and insurance (BFSI) sectors are pioneers in digital transformation, using web applications and application programming interfaces (APIs) to provide seamless services to customers around the world. Rising

FinTech Leadership

Terry Clune’s Fintech Empire

Over the past 30 years, Terry Clune has built a remarkable business empire, with CluneTech at the helm. The CEO and Founder has successfully created eight fintech firms, attracting renowned

The Role Of AI Within A Web Design Agency?

In the digital age, the role of Artificial Intelligence (AI) in web design is rapidly evolving, transitioning from a futuristic concept to practical tools used in design, coding, content writing

Generative AI Revolution

Is Generative AI the Next Internet?

The increasing demand for Generative AI models has led to a surge in its adoption across diverse sectors, with healthcare, automotive, and financial services being among the top beneficiaries. These

Microsoft Laptop

The New Surface Laptop Studio 2 Is Nuts

The Surface Laptop Studio 2 is a dynamic and robust all-in-one laptop designed for creators and professionals alike. It features a 14.4″ touchscreen and a cutting-edge design that is over

5G Innovations

GPU-Accelerated 5G in Japan

NTT DOCOMO, a global telecommunications giant, is set to break new ground in the industry as it prepares to launch a GPU-accelerated 5G network in Japan. This innovative approach will

AI Ethics

AI Journalism: Balancing Integrity and Innovation

An op-ed, produced using Microsoft’s Bing Chat AI software, recently appeared in the St. Louis Post-Dispatch, discussing the potential concerns surrounding the employment of artificial intelligence (AI) in journalism. These

Savings Extravaganza

Big Deal Days Extravaganza

The highly awaited Big Deal Days event for October 2023 is nearly here, scheduled for the 10th and 11th. Similar to the previous year, this autumn sale has already created

Cisco Splunk Deal

Cisco Splunk Deal Sparks Tech Acquisition Frenzy

Cisco’s recent massive purchase of Splunk, an AI-powered cybersecurity firm, for $28 billion signals a potential boost in tech deals after a year of subdued mergers and acquisitions in the

Iran Drone Expansion

Iran’s Jet-Propelled Drone Reshapes Power Balance

Iran has recently unveiled a jet-propelled variant of its Shahed series drone, marking a significant advancement in the nation’s drone technology. The new drone is poised to reshape the regional

Solar Geoengineering

Did the Overshoot Commission Shoot Down Geoengineering?

The Overshoot Commission has recently released a comprehensive report that discusses the controversial topic of Solar Geoengineering, also known as Solar Radiation Modification (SRM). The Commission’s primary objective is to

Remote Learning

Revolutionizing Remote Learning for Success

School districts are preparing to reveal a substantial technological upgrade designed to significantly improve remote learning experiences for both educators and students amid the ongoing pandemic. This major investment, which

Revolutionary SABERS Transforming

SABERS Batteries Transforming Industries

Scientists John Connell and Yi Lin from NASA’s Solid-state Architecture Batteries for Enhanced Rechargeability and Safety (SABERS) project are working on experimental solid-state battery packs that could dramatically change the

Build a Website

How Much Does It Cost to Build a Website?

Are you wondering how much it costs to build a website? The approximated cost is based on several factors, including which add-ons and platforms you choose. For example, a self-hosted

Battery Investments

Battery Startups Attract Billion-Dollar Investments

In recent times, battery startups have experienced a significant boost in investments, with three businesses obtaining over $1 billion in funding within the last month. French company Verkor amassed $2.1

Copilot Revolution

Microsoft Copilot: A Suit of AI Features

Microsoft’s latest offering, Microsoft Copilot, aims to revolutionize the way we interact with technology. By integrating various AI capabilities, this all-in-one tool provides users with an improved experience that not

AI Girlfriend Craze

AI Girlfriend Craze Threatens Relationships

The surge in virtual AI girlfriends’ popularity is playing a role in the escalating issue of loneliness among young males, and this could have serious repercussions for America’s future. A

AIOps Innovations

Senser is Changing AIOps

Senser, an AIOps platform based in Tel Aviv, has introduced its groundbreaking AI-powered observability solution to support developers and operations teams in promptly pinpointing the root causes of service disruptions