The new year is traditionally a time to make resolutions and form good habits. It’s an opportunity that many of us take in both our professional and personal lives to adopt better practices and principles and embrace new ways of thinking.
More often than not, these resolutions fail within weeks – in fact, according to research, Jan 19th is the day that most resolutions are abandoned – and sometimes the lack of focus or commitment to resolutions can be a result of insufficient knowledge, education or support to drive long-lasting behavioral change.
If we look at the software development industry as an example, development teams are under significant pressure to bring new applications and services to market more quickly than ever before. However, nearly every application has at least one vulnerability or misconfiguration that affects security.
Vulnerabilities are rising year on year, and 90-95% of data breaches are due to web application vulnerabilities, according to Verizon’s 2021 DBIR. To combat this trend, we believe that development teams need a new year’s resolution to start understanding security principles and prioritizing coding securely as a long-lasting habit.
While there is no doubt that most developers and all roles within the software development lifecycle (SDLC) strive to master their trade, they may not have the in-depth understanding and knowledge of application security that they need to help solve the problem of the current App Sec dilemma. For instance, we know that developers are unlikely to get this education in their computer science degrees – none of the top 50 in the U.S. have mandatory secure coding courses.
At Security Journey, it is our mission to make coding securely a more lasting and engrained habit. Through continuous application security education programs, we can instill a security-first mindset and ensure that as part of ‘secure habits’, security is baked into any app development from the beginning, thereby reducing vulnerabilities.
What Does A ‘Secure Habit’ Mean For Your SDLC?
Secure habits will differ for everyone in the SDLC given the varied roles and responsibilities, from developers to those in Product Management, Quality Assurance, and Project Management, and also the different levels of experience that exists within all these roles.
For example, secure habits are beneficial for any developer at the start of their secure coding journey, as they can provide foundational practices that are then supported with programmatic training. However, it’s also crucial for those further along in their career who can apply the concepts they’ve learned to their everyday software development.
Some suggestions for different areas of the SDLC include:
Software Engineers and UX:
- Need: An awareness of the ‘bigger story’ and an understanding of where and how security concepts are applied for those with a hands-on role in software development.
- Secure Habit: Regular code reviews, collaborating with peers and experts regarding the security of their new features. These peer reviews are already a regular habit for developers, so by ‘habit stacking’ and integrating security assessments, it is a simple but effective security shift.
Product and Project Managers:
- Need: Greater collaboration across teams to eradicate security siloes.
- Secure Habit: Plan work proactively across the team to ensure user stories and technical tasks are inclusive of security. For example, threat modeling discussions should be had early in the design process.
Quality Assurance Managers:
- Need: Assess security as a priority in addition to functionality as part of ‘speed-to-market' strategies.
- Secure Habit: Ensure test plans are implemented; test automation that validates not just the quality but also the security of an application.
- Need: Be more accountable for developing applications with fewer vulnerabilities.
- Secure Habit: It’s time security is seen as a ‘lifeboat feature’ – a non-negotiable priority as part of an MVP – that means if there are vulnerabilities, the application cannot be shipped.
The future of application development can be secure with continuous focus and efforts made to ensure everyone practices secure habits. This goal can be supported by programmatic education and awareness to change habits and ensure better cyber hygiene.
But it’s only possible if organizations are determined to accomplish their new year’s resolution by prioritizing secure coding training and making it a “secure habit”.