Life in the Fast Lane: Reducing Vulnerabilities When Rushing to Scale
Solutions Review’s Expert Insights Series is a collection of contributed articles written by industry experts in enterprise software categories. Pieter Danhieux of Secure Code Warrior speeds through reducing vulnerabilities and risk when rushing to scale.
“You must move at the speed of business …”
This oft-repeated mantra defines the modern workplace, with the relentless pressure to rapidly scale: Market demands seemingly shift by the day– or hour. If you fail to shift with them, you risk extinction. But how can organizations keep up with this accelerated pace?
Indeed, it’s all about making something available everywhere people want – now – and software development teams are feeling the heat. They’re perpetually under the gun to perform a miracle, to continuously create new applications and solutions that will earn the most significant buzz. Additionally, emerging “latest and greatest” solutions are constantly being thrown at developers, which can easily cause distractions. When we asked global software developers about their top priorities, they told us they are dialed in on ensuring code quality, boosting application performance, and solving real-world problems. Security, however, fell behind these priorities.
Unfortunately, that does not come as a surprise. We too often hear, “We need to get this out ASAP … We’ll deal with the secondary stuff later.” Subsequently, security takes a backseat, regardless of how these decisions may impact customers in the future. This scenario is repeating itself in an endless spiral, despite the urgent tone of a White House call for more fortified software to counter “foreign governments and criminal syndicates (which) are regularly seeking ways to compromise our digital infrastructure.” Until organizations take a step back and get everyone on the same page, executive guidance can only go so far.
Vulnerabilities and Risks When Rushing to Scale
Dig deeper into the troublesome cycle, and you’ll find the following sources of increased risks:
- Speed traps. As indicated, the rush to scale leads directly to the issues. Two-thirds of developers told us they know they’re shipping code with vulnerabilities. When we asked why, they said their organization and/or management team prioritize functionality over security (as cited by 37 percent) and that they simply do not have time to build security into code while still meeting tight deadlines (36 percent). One-third said they don’t know how to identify or fix vulnerabilities, and one-quarter said they feel fixing insecure code is someone else’s job.
- Vulnerable libraries. Developer teams rely heavily on pre-existing code, but 45 percent are using libraries or frameworks with inherent flaws because they are not tested/evaluated on an ongoing basis for vulnerabilities.
- Chatty application programming interfaces (APIs). APIs are supposed to enable communication between software components, facilitating user requests and responding to them. But developers frequently over-permit APIs for functions, so they don’t have to keep changing access rights with every program build. That’s when APIs will talk too much, oversharing critical information that attackers will exploit. But swift scaling does not have to diminish the protection of code.
Here are three ways you can make sure it doesn’t:
- Think “security first.” We’ve seen some encouraging signs here from developers. Three of five, for example, said they seek to use pre-approved code, which is confirmed as secure, and they deploy tools such as static, dynamic, and interactive application security testing, along with software composition analysis. We need to see more of this, but to avoid conversations around time constraints; businesses need to develop a comprehensive timeline that builds in additional time for risk assessments of code.
- Commit to better training. Nine of ten developers recognize they need training, and many want practical sessions leveraging work-relevant, real-life examples. In addition, they feel they’d benefit from hands-on interactivity and opportunities to actually practice writing secure code as part of their training. In other words, a “check the boxes” approach conducted with a static computer program or course no longer suffices, and is too infrequent to make a difference. Dynamic material that’s delivered in real-time and catered toward specific languages and individual needs of organizations will enable teams to rise to the ever-changing threat landscape.
- Establish a team council. With security and developers taking part, a collaborative council would strengthen assessments with the adoption of standardized practices. The council could also appoint an evangelist as its leader – someone who will push hard for stronger measures, such as real-time feedback on code as it’s written, and a security champion program.
We all realize that rapid scaling is required in today’s frantic business environment. But market realities should not arrive at the expense of safe products. Instead, you must focus on scaling the security maturity of developer teams. With both security staffers and developers taking a unified “one team” approach to these issues and implementing better, more standardized practices and training, you’ll keep up with new demands while still ensuring the code is protected.