The Ultimate Security Blind Spot You Don’t Know You Have – The Hacker News
How much time do developers spend actually writing code?
According to recent studies , developers spend more time maintaining, testing and securing existing program code than they do writing or improving code. Security vulnerabilities have a bad habit of popping up during the software development process, only to surface after an application has been deployed. The particular disappointing part is that many of these security flaws and bugs could have been resolved in an earlier stage and there are proper methods plus tools to uncover them.
How much time does a developer spend on learning to write a functioning program code? And how much is spent on learning about code security? Or learning how not to program code? ”
Wouldn’t it be better to eradicate the problem from the system rather than having it there, and then trying to detect and stop an ongoing attack targeting it?
You can test your secure coding skills with this short self-assessment.
The true cost of bugs
Everyone makes mistakes, even designers. Software bugs are inevitable and are accepted as the “cost of doing business” in this field.
That being said, any unfixed bugs in code are the lifeblood associated with attackers. If they can find at least one bug in a system that can be exploited in the right way (i. e., a software vulnerability), they can leverage that vulnerability to cause massive damage, potentially on the scale of tens of millions of dollars – as we see through well-publicized cases hitting the headlines every year.
And even when it comes to less serious vulnerabilities, fixing them can be very costly – especially if the weakness is introduced much earlier in the SDLC due to a design flaw or a missing security requirement.
Why is the current approach to software security falling short?
1 — Too much reliance on tech (and not enough on humans)
Automation and cybersecurity tools are supposed to reduce the workload for programmers and application security staff by scanning, detecting, and mitigating software program vulnerabilities, however:
- While these tools do contribute to cybersecurity efforts, studies show that they can only discover 45% of overall vulnerabilities
- They can also produce “false positives, ” leading to unnecessary concern, delays, and rework
- …or even worse, “false negatives, ” creating an extremely dangerous false sense of security
2 — The DevSec disconnect
The DevSec disconnect refers to the well-known tension between dev teams and protection teams due to different (and often conflicting) priorities with regards to new features and bug fixes.
As a result of this friction, 48% associated with developers end up regularly pushing vulnerable code into production. Vulnerabilities discovered later within the development cycle often don’t get mitigated, or even end up producing extra costs, delays, plus risks further down the line. These are the consequences of short-term thinking: ultimately, it would be better to fix the problem at the source instead of spending time and resources on finding code flaws later in the software advancement lifecycle.
3 — Monitoring your supply chain but not your own software
Another common mistake is focusing solely on the software program supply chain security and only addressing known vulnerabilities within existing software products and packages listed in the famous Common Vulnerabilities and Exposures database or the National Vulnerability Database.
Dealing with any vulnerabilities in third-party components, your dependencies, or the operating environment is essential, but this won’t help you with vulnerabilities in your own code.
Similarly, monitoring potential attacks via intrusion detection systems (IDS) or firewalls followed by incident response is a good idea – and is recognized by OWASP Top 10 as a necessity – but these activities just deal with the consequences associated with cyberattacks rather than the cause.
The solution: make secure coding a team sport
Your cybersecurity is only as strong as your weakest link. Software development is not an assembly line job, plus – despite all predictions – it won’t be fully automated anytime soon. Programmers are creative problem-solvers who need to make hundreds of decisions each day as they write program code, because software program development is a type of craftsmanship.
When it comes down to it, whether a piece of code is secure or not is up to the skills of individual developers.
Processes, standards, and tools can help foster and reinforce best practices, but if a programmer doesn’t know about a particular type of bad practice, they’re likely to keep committing the same mistake (and introducing the same kind of vulnerability within the code) over and over again.
6 tips for empowering secure code
The number of newly discovered vulnerabilities is rising and the threats posed by malicious cyber actors are usually steadily getting more sophisticated. Most organizations start implementing a secure development lifecycle after a good incident, when you ask us when you should start, the answer, of course , will always be the sooner, the better.
That’s because when it comes to critical vulnerabilities, even hours can mean the difference among no lasting damage and a financial disaster.
Here are our top tips for doing exactly that:
1 — Shift left – expand security perspective to early phases associated with development
Relying on DevSecOps-style safety tool automation by itself isn’t enough, you need to implement real culture change. SAST, DAST, or penetration testing will be on the right in the SDLC; shift remaining towards the beginning of the software growth lifecycle for more comprehensive coverage.
2 — Adopt the secure development lifecycle approach
MS SDL or OWASP SAMM for example will provide a framework for your processes and act as a good starting point for your cybersecurity initiative.
a few — Cover your entire IT ecosystem
Third-party vulnerabilities pose a huge risk to your business’ cybersecurity, but your own developers may be introducing problems to the software, too. You need to be able to identify and resolve vulnerabilities upon premises, in the cloud, and in third-party environments.
4 — Move from reaction to prevention
Add defensive programming concepts to your coding guidelines. Robustness is what you need. Good security is all about paranoia, after all.
5 — Mindset matters more than tech
Firewalls and IDSs won’t protect your own software from hackers by themselves; they just deal with the consequences of already existing vulnerabilities. Tackle the problem at its root: the developers’ mindset and personal accountability.
six — Invest in secure code training
Look for a which covers a wide range of programming languages and provides thorough coverage of secure code standards, weeknesses databases, plus industry-renowned crucial software weakness types. Hands-on lab exercises in developers’ native environments are a huge plus for getting them up to speed quickly and bridging that will pesky knowing-doing gap.
Cydrill’s blended learning journey provides training in proactive plus effective safe coding for developers through Fortune 500 companies all over the world. By combining instructor-led training, e-learning, hands-on labs, and gamification, Cydrill provides a novel and effective approach to learning how to code securely.