Better app security cannot start with tools

Better app security cannot start with tools
Matias is a security expert, researcher, and CTO and co-founder of Secure Code Warrior. When he is away from his desk, he serves as an instructor for advanced application security training courses and regularly speaks at global conferences including RSA Conference, Black Hat, DefCon, BSIMM, OWASP AppSec, and BruCon.

There is a common trope in science fiction movies where robots start to think for themselves and launch a war with humans for control of Earth.

These storylines come from a familiar place. We continue to see robots, machines, and technological tools replace many traditional jobs requiring a human touch. Many industries, such as manufacturing, rely heavily on these devices, with automation a growing threat to the workforce.

Technological tools remain critical to software development, but they also have limitations. Software development has become equal parts art and science with a skilled, trained developer able to complement static tools and add key value beyond a solely robot-led approach.

There is a critical human element to cybersecurity. It is one that can take insights from active users, their own experience, and the priorities of their organization to rethink security. Humans must play a vital role in security, expertly leveraging tools but also applying contextual intuition and experience to improve security posture.

Tools provide limited scope and often respond reactively

The rapid software development lifecycle has often made security an afterthought, and applications too often ship with known vulnerabilities. To repair these gaps, other developers participating later on in the lifecycle rely on tools that provide great utility, but often respond reactively to threats and address security after the fact. Some of the most commonly used tools can only offer limited protection. They include:

  • Vulnerability scanners: These applications take an inventory of technology assets and then check the operating system against a database of known vulnerabilities. While a critical component of cyber defense, vulnerability scanners can only find known threats and remain susceptible to new attack vectors. There is no single scanner that is a catch-all, and they can be notoriously slow, bogging down the security team in false positives and negatives that demand meticulous sorting.
  • Software Bill of Materials (SBOM): This provides an inventory of a codebase, including open-source components and license and version information. Like vulnerability scanners, these tools check against known vulnerabilities, leaving them open to new types of attacks. They can also be a challenge to keep updated, and require significant time from already overworked development teams.
  • Jira: Originally an issue tracker, Jira is a work management tool that allows developers and IT teams to identify and track coding issues as they build software.  This method tends to be reactive and relies on users to identify, research, and resolve problems.
  • Embold: This tool allows you to manage and monitor the quality of software projects. It works as an aid to help developers write clear code using artificial intelligence. However, Embold creates generic applications that might not have the depth of security and features that an organization desires.

Security-skilled developers using a proactive approach make a bigger impact

The tools listed above all work on a reactive basis. This is where developers can provide real value. They do not need to wait for a breach to expose threat information to take action. Developer teams can build in proactive security controls that shift with emerging threat trends.

Developers can play a key role in their organization’s security maturity. When properly aligned, development teams and their organizations can work toward a continuous cycle of improvement to stay ahead of evolving threats. This process ensures they keep pace with evolving threats and minimize the risk of an exploit in the code and software being shipped.

Developers are better positioned than anyone to scrutinize vulnerabilities in reused or existing code, along with being a meaningful contributor to defining a secure code standard. Properly trained developers who understand how to build security into the software development lifecycle are as valuable, if not more so than the machines and applications supporting the business operation.

While tools certainly have value and remain a must-have, they cannot become the only focus in an organization looking for a more holistic, defensive, and modern approach to cybersecurity. These tools provide a limited view, but developers can fill the gaps through their experience and proper knowledge. They can contribute to a security-centric culture and provide long-term value to an organization’s security posture.

Important next steps

Security-skilled developers will never go out of style or risk being truly replaced.

Developers must continue to undergo training and upskilling to keep this advantage, while organizations must continue to invest in their talent. We’re still witnessing a skills gap among developers, leading to heavy turnover. Instead of leveraging automated technologies to fill these gaps, organizations should invest more in their current developers and provide them the opportunity to take meaningful training.

As robots, automated technologies and artificial intelligence become more common, we must remember where humans still provide value. It starts with security.

Want to learn more about cybersecurity and the cloud from industry leaders? Check out Cyber Security & Cloud Expo taking place in Amsterdam, California, and London.

Explore other upcoming enterprise technology events and webinars powered by TechForge here.

Tags: , , , ,

View Comments
Leave a comment

Leave a Reply

Your email address will not be published. Required fields are marked *