You are here

A call to arms for devs: Get revolutionary about security as code

public://pictures/cuthbert.jpg
Daniel Cuthbert, Head of Security Research, Grupo Banco Santander (GESBAN)

In 1988, Robert Morris had an itch that needed to be scratched. He wanted to gauge how big the Internet was, and developed a worm that made use of numerous software vulnerabilities. The worm wasn't meant to be malicious, but due to an error in his approach, the program quickly spread—infecting 10% of the servers making up the Internet at the time.

Morris also became the first person prosecuted under the Computer Fraud and Abuse Act of 1986. But that did not dissuade others from focusing on software flaws: He and others became famous for breaking software and exploiting vulnerabilities.

Since that time, the stakes have risen. The Morris worm resulted in costs to organizations from lost productivity: The time spent cleaning up the infections and reinstalling software. Today, however, attacks such as the NotPetya ransomware and Stuxnet cyber attack have actually damaged systems and stopped production, causing hundreds of millions of dollars in damages to the affected organizations.

It is time to focus our efforts on defense—not the attacks—and make heroes of the people who can make a difference: Developers.

 

The State of Application Security in the Enterprise

"Developers! Developers! Developers!"

We need to bring back the enthusiastic rallying cry of Microsoft's Steve Ballmer, who got up on stage and, now infamously, began chanting "Developers! Developers! Developers!" While his antics were widely derided and quickly became their own meme, we should take the sentiment to heart. Developers are the key to making software secure.

At DevSecCon, developers actually have a chance to learn how to make exploiting software much harder for attackers.

Today, the bad guys have it way too easy. We have massive ransomware attacks that shut down operations and operations that steal money and intellectual property. The NotPetya ransomware attack, for example, caused a conservative $1 billion in lost sales, and that's only taking into consideration about a dozen companies that have talked about the impact of the attack.

Nation-states become bad actors

And with nation-states now conducting cyber operations, the stakes have gotten even higher. North Korea, in particular, has become a major threat online because of its dedication to developing its cyber capabilities and the fact that there are few disincentives for it to conduct operations.

The list of major incidents placed at North Korea's collective feet is impressive: $81 million stolen from the central bank of Bangladesh, the breach and shutdown of Sony Pictures, and, most recently, the theft of plans for military operations from South Korea and its allies.

As we put more data online and think about the next-generation Web technologies, experts debate various aspects of the future: How do we make it 3D, how do we make it mobile, how do we make it continuous, how do we make it more intelligent? Almost no one is worried about how we make it more secure.

The problem is that people think of security as a blocker, not as an enabler. To this point, security has stood in the way of innovation, slowed down the delivery of products. We, as developers, need to change that. 

[ Webinar: Get Started with Seamless App Sec in a Single Day (Jan. 23) ]

Security as code's role

Security as code, as a concept, can be key to getting more developers to build security into their products. By focusing on integrating security into the development process, we empower developers to work quickly but within the security requirements that are set for the application or service.

I'm a child of the '80s, so I like to bring things back to bowling. (I don't understand this '80s reference ... was bowling really big during that decade?) It's a great game, but when you are starting out, it can be frustrating, because every other toss ends up in the gutter.

Yet, there is a fix for that. Beginners can raise the rails and prevent the ball from going into the gutter. They are not prevented from playing, but they are protected from the worst penalty in the game.

In a similar way, we need DevSecOps technologies that create rails for developers who are not specialists in security which, to be honest, is just about everyone. They can still play—and write code—but the rails make certain that they stay out of the gutters.

It's time to shift the balance

We often look for an incident that will wake up developers and executives to the dangers. Yet, the numerous breaches this year alone are all calling to us to better secure our code, including the theft of information about 143 million Americans in the Equifax breach and the shutdown of more than a dozen facilities run by the U.K.’s National Health Service because of the WannaCry ransomware.

Security weaknesses are affecting average people who have no idea that software is enabling the way they interact with the world. Companies continue to put more data online about their business, to track their customers, and to impact people's lives, but continue to fail to create the secure development processes needed to protect that infrastructure.

Security as code is a change in mindset: We no longer care about who finds the flaw, and how bad it is. All flaws are bad. We need to shift the balance in favor of the defenders and start celebrating those who produce secure applications for millions to use without the worry of their personal data being leaked.