Security has long been seen as an afterthought in the DevOps process, and a new report from Secure Code Warrior offers a reason why. While developers say a security-led approach is important within the software development life cycle, 86% of respondents don’t think security is a top priority. Rather, they point to other competing priorities, such as meeting deadlines. Developers are also hampered by a lack of training and guidance on how to implement security into app development.
“Developers want to do the right thing, and while they are starting to care more about security, their working environment doesn’t always make it easy for them to make it a priority,” Pieter Danhieux, co-founder and CEO, Secure Code Warrior, said in a formal statement.
As long as developers don’t treat security as a top priority, AppSec will suffer. The challenge for CISOs and security teams is to change attitudes and improve efforts by DevOps teams when it comes to AppSec.
Functionality over Security is a Flawed Theory
These days, developers are expected to constantly push out new updates with the latest and greatest functionality, explained Hank Schless, senior manager, security solutions at Lookout.
“If security isn’t part of the development process, then it often gets overlooked or is seen as a blocker to getting updates out quickly enough,” Schless stated in an email interview.
There’s also no such thing as perfect code. There are inevitable cracks in every version of every software release, so no matter how fast the app gets released, a single flaw will slow down production.
Zero-day threats and other vulnerabilities show up after apps are released, and they usually can’t be patched until the next version release. “Most development teams work in two-week sprints, so this means that the fix sometimes isn’t pushed for a week or so,” said Schless. To emphasize the importance of security as a priority, it can help to show the cause and effect of making functionality a priority over security and the impact of bringing in security too late in the life cycle.
Security Awareness Training for Developers
There’s no question that security awareness training is needed throughout any organization, but it takes on a different level of importance for development teams.
“While organizations encourage secure coding practices, developers are unclear on how they are defined in their day-to-day work, and what is expected of them,” Danhieux said in a formal statement. “To reach a higher standard of code quality, organizations must formalize secure coding standards as they apply to developers and guide a change in behavior that reinforces good coding patterns and enables security at speed.”
Security awareness—not just in terms of how to spot threats—needs to be a part of the development team’s training. They need to know why security in the app process is necessary and how it improves app management and the development life cycle. They require education in security and compliance standards and how to include them into coding.
The Cloud’s Role in AppSec
One of the biggest advantages of cloud-delivered software is that an update can be pushed to the entire user base to fix these issues, according to Schless. Before the cloud, vulnerabilities could exist for months or years without being addressed.
“Usually, attackers use the lack of security in an app to get to valuable personal information or bypass native security capabilities on the device,” Schless said. “This is why it’s so important to secure all of your smartphones, tablets and computers with additional security software that can stop threat actors who try to exploit known and unknown vulnerabilities.”
Cloud apps used by the enterprise are just as vulnerable to these risks. Attackers targeting the enterprise will look for vulnerabilities in these apps, purchase exploits from the dark web, or phish for legitimate login credentials to gain access to the data inside.
“Enterprise organizations need to have a way to detect anomalous behavior indicative of a threat actor who was able to get inside their cloud infrastructure with the intent of stealing valuable data,” said Schless.
Developers are incentivized to deliver features quickly, said John Bambenek, principal threat hunter at Netenrich. “No one ever got a bonus by rolling up to their daily stand-up saying they are holding up a commit because of a security issue. Until the leadership of engineering teams are held accountable for preventable security issues, nothing changes.”
The bottom line is that developers can either be fast or they can ensure security. Right now, being fast seems to be the priority. But if security isn’t brought into development earlier, a vulnerability or cybersecurity incident will bring business operations to a halt.