As a new year commences, it’s not unusual for people to take the opportunity to adopt better practices and principles and embrace new ways of thinking in both their personal and professional lives.
Software development teams always strive to master their trade, improve their practices, and deliver secure applications and services, especially because application security risks are mounting and expectations are higher than ever (53% of developers are now expected to take full responsibility for security within their organizations).
Yet despite continuous breaches at the fault of insecure code, secure coding training for development teams is still almost completely absent from computer science programs in top US colleges. Faced with this “AppSec dilemma”, it’s vital that 2023 becomes the year for new, secure habits across the software development lifecycle (SDLC).
Making secure habits stick with security education
New year’s resolutions can fail fast. Sometimes a lack of focus or commitment can be a product of insufficient knowledge, education or support to drive long-lasting behavioral change. Those in the SDLC may not have the in-depth understanding of application security that they need to – and may not know exactly how flaws in code will impact the product, business and the customer and what must be done to remediate the flaw.
To enable more secure habits for developers and everyone that supports the delivery of secure code, education and a security-first mindset need to become priorities. Awareness is all good and well, but they must be able to acquire deep knowledge and understanding of how to implement the key security principles required to resolve old and new types of code vulnerabilities.
Take injection flaws as an example: This category of vulnerabilities has been on the OWASP Top 10 list for the last ten years and remains one of the three most critical web application flaws. Injection vulnerabilities are also some of the easiest to mitigate – it can take as little as 10 minutes of training to educate developers on how to tackle this issue. But developers who are looking to reduce the chance of SQLi vulnerabilities in their code will not be able to commit to a long-lasting secure habit if they’re not first educated on the basic principles of the vulnerability and how to prevent similar flaws. Training can kick-start change and improve application security.
Of course, education on SQLi will not be relevant to everyone. Each role across the SDLC will need to embrace different secure habits to best support secure coding.
While they may not be writing code themselves, development leaders need to become more accountable for developing applications with fewer vulnerabilities. A secure habit for these professionals could be to view security as a “lifeboat feature” (i.e., a non-negotiable priority), meaning that if there are vulnerabilities in the code, an application will not be shipped.
Product and project managers
Often organizations are challenged by security siloes and poor collaboration across teams. Product and project managers must work more proactively with developers to ensure requirements are detailed and ensure security is seen as a priority in any new application or service. For example, threat modelling discussions should be had early in the design process to boost productivity.
Software and user experience (UX) engineers
Regular code reviews are already a habit for those who are developing code. Developers and UX experts who want to get a better understanding of where security concepts are applied can turn to trusted colleagues and request that code reviews incorporate an assessment of their security, too. By “habit stacking” general reviews and security reviews, these new secure habits are more likely to become long-lasting.
Quality assurance (QA) managers
QA managers need to see security on par with functionality when looking at “speed to market” strategies. Ensuring test automation validates not only quality but also the security of an application will therefore be a crucial secure habit to reduce the number of vulnerabilities present after release.
All these habits are relatively small, achievable shifts that could have significant impact on the security of applications. Yet without persistent and programmatic education on the importance of security and how it can be achieved, these habits will suffer the fate of most New Year’s resolutions and dissolve over time.