If there is one constant in the modern business world, it’s that the pace of change is continuing to increase. Market forces and customer demands are constantly shifting and any organisation that doesn’t respond risks failure.
Feeling particular pressure are software development teams. They’re perpetually under the gun to perform a miracle and continuously create new applications and solutions that will earn the most significant buzz.
At the same time, emerging “latest and greatest” solutions are constantly being thrown at developers, which can easily cause distractions. When asked about their top priorities, developers say they are dialled in on ensuring code quality, boosting application performance, and solving real-world problems. Security, however, often falls behind these priorities.
Unfortunately, that does not come as a surprise. All too often developers hear things like “We need to get this out ASAP … We’ll deal with the secondary stuff later.” Subsequently, security takes a backseat, regardless of how these decisions may impact customers in the future.
Beware of the risks of rushing to scale
When you dig deeper into this troublesome cycle, three sources of increased risks can be identified. They are:
- The challenge of speed: As indicated, the rush to scale leads directly to the issues. Two-thirds of developers admit they know they’re shipping code with vulnerabilities. When asked why, they said their organisation and/or management team prioritise functionality over security (as cited by 37%) and that they simply do not have time to build security into code while still meeting tight deadlines (36%). One-third said they don’t know how to identify or fix vulnerabilities, and one-quarter said they feel fixing insecure code is someone else’s job.
- Library code: Developer teams rely heavily on pre-existing code, but 45% are using libraries or frameworks with inherent flaws because they are not tested/evaluated on an ongoing basis for vulnerabilities.
- Overactive APIs: APIs are supposed to enable communication between software components, facilitating user requests and responding to them. But developers frequently over-permit APIs for functions, so they don’t have to keep changing access rights with every program build. That’s when APIs will talk too much, oversharing critical information that attackers will exploit. But swift scaling does not have to diminish the protection of code.
Improving the security of code
There are some key ways in which the security of software code can be improved. They include:
- Making security top of mind:
There are some encouraging signs that this is starting to happen within developer communities. Three of five, for example, say they seek to use pre-approved code, which is confirmed as secure, and they deploy tools such as static, dynamic, and interactive application security testing, along with software composition analysis. We need to see more of this, but to avoid conversations around time constraints; businesses need to develop a comprehensive timeline that builds in additional time for risk assessments of code. - Increase investment in training:
Nine out of ten developers recognise they need training, and many want practical sessions leveraging work-relevant, real-life examples. In addition, they feel they’d benefit from hands-on interactivity and opportunities to actually practice writing secure code as part of their training. In other words, a “check the boxes” approach conducted with a static computer program or course no longer suffices, and is too infrequent to make a difference. Dynamic material that’s delivered in real-time and catered toward specific languages and individual needs of organisations will enable teams to rise to the ever-changing threat landscape. - Create a team council:
With security and developers taking part, a collaborative council would strengthen assessments by adopting standardised practices. The council could also appoint an evangelist as its leader – someone who will push hard for stronger measures, such as real-time feedback on code as it’s written, and a security champion program.
The pace of evolution required to succeed in today’s business world is unlikely to slow any time soon. However, keeping up with this pace should not happen at the expense of effective software security.
There needs to be a focus on improving the security maturity of developer teams and ensuring they understand the key role they play in achieving robust and effective security across their entire organisation. This will help to support ongoing change while ensuring the organisation is protected from attacks.