For years we’ve hyped the dangers of insecure software, but the hype is real and the stakes have never been higher. How many times have your heard that? It’s no secret that the line between security and development is blurring in the face of high-profile breaches, attacks and increasingly bold bad actors.
But does that mean you now need to be a security expert? If you’re hesitant to put on a security hat, and creating great software is what motivates you, that’s fine. But it’s never been more important that development be complementary to security.
No one wants their code to be the next weak link that ruins their career or puts attackers in the headlines. But the dangers of creating insecure code today are serious. Every developer must be conscious of security.
Why? Because we now live in an “everything is code” world. Whether it’s taking cash out at the ATM, staying in touch with friends or saving family photos, it’s all built on software. The power grids that serve our towns, the defense systems that protect our countries, the networks that house our medical records — all of it relies on code. And increasingly so do our cars and our homes. To top it off, the threat landscape is changing radically and cloud-based infrastructure is an entirely new game.
The good news is that if you’re on a properly managed cloud infrastructure you’ve already minimized your threat surface, at least from an infrastructure perspective. You no longer need to depend on systems, internal networks, data centers and physical computers managed by internal IT teams to do your work. Cloud-based systems offload many of those responsibilities to companies with deep pockets like Amazon, Google and Microsoft.
Alongside these benefits, it’s important to understand that the move to cloud focuses more attention on software and we’re going to see threat actors take greater advantage of software vulnerabilities. That’s why, as developers, we have to be one step ahead — anticipating what threat actors will do and knowing where new attack vectors lie. And if you’re thinking the code you write isn’t applicable, think again.
Consider open source. The commit you generously gave to the community has a strong likelihood of ending up in critical infrastructure. You can’t control whether it’s being used in a defense system or on a local retailer’s e-commerce site. What’s important is that it’s a potential attack surface. That’s why all software is mission critical and why the security of all code is crucial.
So, what can you do to ensure you’re building a security-oriented mindset into your development efforts and coding conscientiously? Here are are eight habits that will serve you well.
- Start practicing: You may not want to be the next DevSecOps champion, but you should be practicing. Start familiarizing yourself, even if it’s just with baby steps, with common security tools. And practice patching real code. It will train you to identify flaws early on — a great skill for any developer.
- Show you’re mindful of security: Again, it doesn’t mean you need to be the security champion, but showing your peers and your organization that you are mindful of security and taking steps to increase the resiliency of your code will set you apart in the eyes of management and send a strong message to your peers that the code needs to be right.
- Make a point of looking at went wrong: If you or someone else finds a vulnerability in your code, examine it to find out when and where things went wrong. A great way to do this is to read up on famous security flaws and how they happened. Over time you will begin to think like a hacker — a great skill to have when building software.
- Break things: Thinking like a hacker is step one. Learning how to break things like a hacker will take you to the next level and is the key to becoming a security-minded developer. You want to know your adversary, how they think and how they act.
- Learn common security flaws: Cross-site scripting is one of the most common security flaws. Could you spot it quickly, and fix it, in your code? Think back to the first point above. Start practicing.
- Scan early: When it comes to secure coding, the early bird really does get the worm. Don’t let the need for speed postpone early scans. You want to fix flaws and vulnerabilities fast and early. It’s far less work than finding them later.
- Automate: Consider using automated security tools. Automated code scanning in your IDE and other steps can save you time and keep you moving fast in production. Honing your skills and adding automation to the mix will make you more effective.
- Secure your open source code: We all use it, we all love it. About 90 percent of software today is comprised of open source code. Look into enterprise-grade variations and examine it yourself. Expecting project committers, particularly those in small projects, to ensure the security of their code is unrealistic and ungrateful.
We’re entering a new era in software development. Forming these habits won’t guarantee your code is safe — you can do everything right and still get hit — but they will ensure that your build process benefits from a strong security mindset that contributes to great software.