Micro Focus is now part of OpenText. Learn more >

You are here

You are here

How to embrace secure software development practices

Pieter Danhieux Co-Founder, Chairman/CEO, Secure Code Warrior
Snearing white and brown short coated small dog

Software developers and security professionals often seem like two dogs barking at each other from opposite sides of the fence.

According to a 2020 study by the Ponemon Institute, developers traditionally see security as a bottleneck to innovation and speed, while security leaders believe developers prioritize delivery time over quality. It's time to bridge the divide.

Developers find themselves at the front lines of defense for the organization, and in turn for the end user. In February, the National Institute of Standards and Technology released guidance on securing the software supply chain. The agency recommends minimum security measures for US enterprises, including enhanced evidence of security practices within software use and development.

A growing problem

The software supply chain has become an increasingly prominent target for cyber attacks. According to a study from Argon, software supply chain attacks grew by more than 300% between 2020 and 2021. These attacks included planting malicious code in popular open-source packages or exploiting an existing vulnerability.

The open-source component channel was a particularly popular target. According to a study from Sonatype, there are more than 37 million components and packages in the top four open-source ecosystems. Open-source software downloads hit 2.2 trillion last year, up 73% from 2020.

Organizations increasingly use open-source solutions for their business needs. While these open-source platforms provide tremendous value, they often lead to enhanced risks. That's where developers can be of vital use.

Changing the culture

The NIST guidelines will certainly push this movement forward, but organizations should take a proactive approach to improve security. This includes honest conversations and reporting structures between the app sec teams on one hand and developers and their managers on the other about priorities and expectations.

Developers should be encouraged to consistently grow their skills to improve security during the development process. This requires a strategy to ensure they have the time, training, and tools to achieve better security outcomes. Developers must view themselves as the tip of the spear for security.

Organizations must enact a cultural shift in their risk management strategies to adopt the NIST guidelines. Simply overlooking—or deprioritizing—security needs is no longer acceptable.

Upskilling developers

This culture shift requires a renewed emphasis on training and skill development. While developers learn specific skills during their formal education, they must also participate in regular training to keep pace with advances in technology.

If security leaders want developers to take a more active role in software security, they must provide them with the opportunity to learn the necessary techniques to produce higher-quality, more secure code. Too often, organizations minimize this need for training and may offer developers only an opportunity to participate in an annual refresher, if that.

One popular way to do this is through microlearning. In this format, developers participate in small learning units and short-term learning activities. It involves short-term strategies designed explicitly for skill-based understanding.

Microlearning allows developers to learn new skills without continually devoting large chunks of time. Instead, they can take smaller courses that build over time. This ensures that developers consistently learn the skills needed for success in producing secure code for the business without needing to segment extensive training periods, which often get pushed back to meet tight deadlines.

Pushing further ahead

There is hope for this needed culture shift. CISOs have generally seemed more interested in the security potential of development teams and what they do to protect everyone in the company from devastating security breaches.

Developers must be transparent with their needs as well. There must be empathy on both sides to manage competing priorities.

The SolarWinds attack showed how damaging holes in the software development process can be. Developers are positioned to make a considerable positive impact. Doing so requires understanding developer needs and balancing them with other priorities to ensure a positive and secure outcome for all.

Keep learning

Read more articles about: App Dev & TestingDevOps