In today's digital landscape, the importance of application security cannot be overstated. As developers strive to deliver robust and reliable applications and software, it has become increasingly clear that a security-first mindset must be embraced from the very beginning of the software development lifecycle (SDLC). So much so, CISA director, Jen Easterly, recently called on the technology industry to take responsibility for secure products. She stated that by design, products are released to market with hundreds of potential defects. Something needs to change.
While it’s now recognized across industry that to develop a good, safe product, security has to be a priority from the start, many teams find themselves grappling with the question of how to achieve this crucial objective. To truly bake in security from the start and ensure the development of secure products, there are a number of practical steps that organizations can take – from embracing more secure habits, to empowering developers with a continuous cycle of training.
Establishing secure habits
Organizations must champion secure coding as an integral part of the SDLC and ensure it becomes an ingrained habit to establish a culture of security from the start. This requires investing in knowledge and education to support behavioural change.
Training programs for developers and the teams supporting them should encourage and enable the adoption of more secure habits. For example, development leaders should focus on accountability for developing applications with fewer vulnerabilities. A ‘secure habit’ for them could be treating security features as "lifeboat" essentials before releasing code. It may require a shift in mindset but will prove invaluable for enhancing application security. Alternatively, for software developers, embracing code scans or reviews early in the development process should become a vital habit, provided they understand the value of secure coding and possess the necessary knowledge to minimize vulnerabilities proactively.
Going beyond code scanning
It’s important to recognize, however, that while code scanning and source code analysis tools are widely used in the industry, relying exclusively on these solutions presents certain limitations. The prevalence of false positives can lead to "alert fatigue" among developers, resulting in the dismissal of flagged flaws and a false sense of security. A recent EMA study on secure coding practices found that out of 129 software development professionals using code scanning tools, only 10% of organizations prevented a higher percentage of vulnerabilities than organizations not using code scanning tools. While code scanning is necessary to find vulnerabilities, organizations need more than this approach to reduce vulnerabilities in code.
The EMA study also revealed that as many as 70% of organizations are missing critical security steps in their SDLC, highlighting the need to adopt an effective security strategy. To achieve a security-first mindset, we must empower development teams and invest in programmatic, continuous education to effectively combat the rising tide of application vulnerabilities.
By fostering a culture of shared responsibility, you establish a collaborative security culture. Often, there’s a disconnect between development and security teams – the former strives for fast innovation, the latter prefers safety over speed. Security leaders need to work closely with developers throughout the development process, offering guidance and support. By incorporating security considerations into each phase of the SDLC, from requirements gathering to deployment, teams can collectively build secure applications. Education serves as the foundation for collaboration by providing common values and experience, which in turn enables conversations about improvement. Encouraging an open line of communication, promoting secure coding best practices, and providing access to up-to-date security resources will help developers make informed decisions and take proactive steps to prevent vulnerabilities.
Continuous education is crucial for maintaining a strong security posture and is the foundation for each practical step organizations need to take to empower their SDLCs. Everyone involved in creating software should understand application security, so developers are better supported to write secure code. Organizations should invest in regular training and awareness programs to keep developers up to date on emerging threats, vulnerabilities, and secure coding practices. By staying informed about the latest security trends and adopting a proactive approach to education, teams can better anticipate and mitigate potential risks from the earliest stages of development.