You are here

You are here

Devs still struggle with app sec: 3 ways to get your team up to speed

Brent Jenkins Evangelist, Micro Focus Fortify

The security features of web application frameworks are fairly complex, and correctly using code to implement security in an application is often difficult. No wonder, then, that 94% of applications tested in 2018 contained a vulnerability in a security feature, according to Micro Focus Software Security Research's 2019 Application Security Risk Report

It's a critical—and unfortunately, persistent—problem. In 2017, almost the exact same percentage of applications—93%—had a vulnerability caused by the incorrect use of a security feature or defects in security functions.

While it would be easy to blame the developers, no developer ever says that they don't want to securely code software. Developers make mistakes when including new features in their software, and that results in vulnerabilities.

In addition to coding flaws in security features, the report found an increase in API abuse and code quality issues, both roughly doubling over the last four years.

Most often, developers lack training, adequate guidance from above, or they just don't have the time. This last factor is exacerbated when companies adopt an agile development methodology, such as with DevOps, without adequately considering security or integrating security into the cycle.

And while mistakes are often caught, when implementing security-oriented code—whether misusing the security features of an application framework or making a mistake when coding an internal security function—any vulnerabilities are likely to be critical.

Here are three steps to avoid those problems and get your dev team up to speed on best app sec practices.

1. Teach the developers well

Part of the problem stems from the fact that the population of software developers is rapidly expanding. Software developers jobs are expected to grow by 21% per year between 2018 and 2028, much faster than the average for all occupations, according to the US Bureau of Labor Statistics (BLS).

Many developers are self-taught. Even developers with a degree in computer science from a four-year university often lack security training, since until now most universities only given lip service to secure coding. The fact is most developers haven't been taught to code securely in the first place.

Within a company, the priority for security must come from the top down. Rather than the company-wide annual security training required by many compliance regimes, management should ensure that developers are educated on topic-specific areas of security.

In the top 10 web vulnerabilities found by Micro Focus' Software Security Research, mistakes in implementing secure transport, establishing cookie security, and protecting directories are just some of the security-focused issues that could be a starting point for training.

2. Make the tools dead simple

Developers do not have time, so another option is to train them—and enforce the training—while they code. Security tools built into integrated development environments (IDEs) can flag errors before they are even compiled, heading off mistakes before they become vulnerabilities.

To get developers to adopt this approach, the tools must be dead simple. And they must give straightforward, actionable information on the security vulnerability and how to fix it.

The tools have to enforce policy as well. Applications should only use Transport Layer Security (TLS) version 1.2 or 1.3, but nearly a third of the applications tested by Micro Focus still use the known vulnerable versions 1.0 and 1.1. Both of these versions, for example, could be exploited by the POODLE attack.

Automation, if tuned properly, can also help. Specifically, automated testing at code check-in using static application security testing (SAST) to send a notice and file a ticket can help focus the developer on the problem as soon as possible.

Breaking a build when a problem is considered critical or exploitable with a high confidence can prevent a development team from pushing code into production with serious security flaws.

3. Give developers the chance—and time—to experiment

While pushing developers to higher productivity is natural, they need time to experiment and learn. This applies to secure coding practices as well. Developers that are given time to experiment with different security technologies are both better informed, and less likely to make mistakes.

Turning experimentation and training into a game, or at least an exercise in exploration, can help. Gamified exercises, such as Secure Code Warrior, can help teach developers secure patterns of coding.

The race is on for secure code

While app sec is fast moving and keeping up with the latest trends and tools is important, the top contributors to software vulnerabilities have remained largely the same over the years: coding mistakes such as buffer overflows, improper input validation, cross-site scripting, path-traversal, SQL injection, and code execution. 

That means this is doable for dev teams. Follow these three steps and you'll be well on your way. 

Share your dev team's best practices for app sec in the comments section below. 

Keep learning