How to Remove Vulnerabilities in a Fast-Paced Business World

If there is one constant in the modern business world, it’s that the pace of change is continuing to increase. Market forces and customer demands are constantly shifting and any organisation that doesn’t respond risks failure.

Feeling particular pressure are software development teams. They’re perpetually under the gun to perform a miracle and continuously create new applications and solutions that will earn the most significant buzz.

At the same time, emerging “latest and greatest” solutions are constantly being thrown at developers, which can easily cause distractions. When asked about their top priorities, developers say they are dialled in on ensuring code quality, boosting application performance, and solving real-world problems. Security, however, often falls behind these priorities.

Unfortunately, that does not come as a surprise. All too often developers hear things like “We need to get this out ASAP … We’ll deal with the secondary stuff later.” Subsequently, security takes a backseat, regardless of how these decisions may impact customers in the future.

Beware of the risks of rushing to scale

When you dig deeper into this troublesome cycle, three sources of increased risks can be identified. They are:

  1. The challenge of speed: As indicated, the rush to scale leads directly to the issues. Two-thirds of developers admit they know they’re shipping code with vulnerabilities. When asked why, they said their organisation and/or management team prioritise functionality over security (as cited by 37%) and that they simply do not have time to build security into code while still meeting tight deadlines (36%). One-third said they don’t know how to identify or fix vulnerabilities, and one-quarter said they feel fixing insecure code is someone else’s job.
  2. Library code: Developer teams rely heavily on pre-existing code, but 45% are using libraries or frameworks with inherent flaws because they are not tested/evaluated on an ongoing basis for vulnerabilities.
  3. Overactive APIs: APIs are supposed to enable communication between software components, facilitating user requests and responding to them. But developers frequently over-permit APIs for functions, so they don’t have to keep changing access rights with every program build. That’s when APIs will talk too much, oversharing critical information that attackers will exploit. But swift scaling does not have to diminish the protection of code.

Improving the security of code

There are some key ways in which the security of software code can be improved. They include:

  • Making security top of mind:
    There are some encouraging signs that this is starting to happen within developer communities. Three of five, for example, say they seek to use pre-approved code, which is confirmed as secure, and they deploy tools such as static, dynamic, and interactive application security testing, along with software composition analysis. We need to see more of this, but to avoid conversations around time constraints; businesses need to develop a comprehensive timeline that builds in additional time for risk assessments of code.
  • Increase investment in training:
    Nine out of ten developers recognise they need training, and many want practical sessions leveraging work-relevant, real-life examples. In addition, they feel they’d benefit from hands-on interactivity and opportunities to actually practice writing secure code as part of their training. In other words, a “check the boxes” approach conducted with a static computer program or course no longer suffices, and is too infrequent to make a difference. Dynamic material that’s delivered in real-time and catered toward specific languages and individual needs of organisations will enable teams to rise to the ever-changing threat landscape.
  • Create a team council:
    With security and developers taking part, a collaborative council would strengthen assessments by adopting standardised practices. The council could also appoint an evangelist as its leader – someone who will push hard for stronger measures, such as real-time feedback on code as it’s written, and a security champion program.

The pace of evolution required to succeed in today’s business world is unlikely to slow any time soon. However, keeping up with this pace should not happen at the expense of effective software security.

There needs to be a focus on improving the security maturity of developer teams and ensuring they understand the key role they play in achieving robust and effective security across their entire organisation. This will help to support ongoing change while ensuring the organisation is protected from attacks.

Pieter Danhieux, CEO and Co-Founder at Secure Code Warrior
Pieter Danhieux
Pieter Danhieux is the CoFounder/CEO of Secure Code Warrior, a global security company that makes software development better and more secure. In 2016, he was No. 80 on the list of Coolest Tech people in Australia (Business Insider) and awarded Cyber Security Professional of the Year (AISA - Australian Information Security Association). Pieter is also a Principal instructor for the SANS Institute teaching military, government and private organisations offensive techniques on how to target and assess organisations, systems and individuals for security weaknesses. He also serves as an advisory board member of NVISO, a cyber security consulting company in Europe. Before starting his own company, Pieter worked at Ernst & Young and BAE Systems. He is also one of the Co-Founders of BruCON, one of the most awesome hacking conferences on this planet. He started his information security career early in life and obtained the Certified Information Systems Security Professional (CISSP) certification as one of the youngest persons ever in Belgium. On his way, he collected a whole range of cyber security certificates (CISA, GCFA, GCIH, GPEN, GWAP) and is currently one of the select few people worldwide to hold the top certification GIAC Security Expert (GSE).