Skip to main content

Developers need learning, skills to tackle security

Pieter Danhieux has an impressive background in cybersecurity. And he acknowledges that when it comes to building software, problems in the code lead to security issues. Yet he blames this problem not on the developers themselves, but on what he has seen as “a lot of things we’ve done wrong with developers.”

Organizations, he said, have given development teams tools they’re not familiar with and don’t know how to use. Further, developers are actually split over their role in security. While some have embraced secure coding practices, others still have not. “Developers say security is slowing me down,” said Danhieux, the CEO of Secure Code Warrior, a company that takes a holistic view of software security. “They just want to release new features as quickly as they can. The friction (developers have) with security teams still exists.”

Meanwhile, colleges and universities are not including safety and security as part of their software engineering curricula, This is leaving new developers entering the field ill-prepared to take on security issues that might be created while they are writing new code.

This certainly is not a new problem. For instance, the OWASP Top 10 list of software vulnerabilities was first published in 2003, and many of the items on that list – cross-site scripting and SQL injection, as two examples – remained there for many years, because developers didn’t understand the vulnerabilities and lacked the knowledge and skills to end these issues.

Danhieux recommended that developers take a single issue – SQL injection, for example – and learn how to eliminate that one thing. When that’s taken care of, move on to the next biggest issue, and eliminate that one. Before too long, the code will be more secure and developers will have the skills to stay on top of security. 

Another aspect of modern software development that makes security so important is that more applications being written today are consumer-facing, where in the past much of the work was done largely on the back end, behind the scenes. “Software is in your house, in your car, in your watch,” Danhieux said. “It must not be vulnerable.” Some organizations, he pointed out, still take risks by pushing software live before they can certify it is secure, but in a few years, that won’t be an option because of where software is embedded, he said.

NIST – The U.S. National Institute of Standards and Technology – recently updated its Secure Software Development Framework (SSDF) to address security in the software supply chain, which are those open-source and third-party components developers rely on to complete their applications. The update outlines the need to produce well-secured software with minimal vulnerabilities upon release.

Yet, from the sheer amount of breaches reported each year, that is no easy task.

According to Danhieux, developers will be absolutely key in upholding those SSDF recommendations, but he also noted they’re often not set up for success in security, having had little to no exposure to secure coding best practices or security tooling. “Security programs must include comprehensive developer enablement and upskilling so they can tackle common vulnerabilities head-on, and share responsibility for upholding those best practice guidelines,” he said. 

Danhieux emphasized the need for verified developer security skills from vendors supplying software to the government, “so it’s vital that they can build upon foundational learning that is practical and assessable,” he said.

To help developers get out in front of these issues, Secure Code Warrior provides learning and tooling for developers, including coding patterns that can help them avoid introducing vulnerabilities into their work, Danhieux said. The company’s platform, he added, uses gamification to bring those security skills to developers. “We’re not policing them,” he said.

The post Developers need learning, skills to tackle security appeared first on SD Times.



from SD Times https://ift.tt/gUslYqc

Comments

Popular posts from this blog

Difference between Web Designer and Web Developer Neeraj Mishra The Crazy Programmer

Have you ever wondered about the distinctions between web developers’ and web designers’ duties and obligations? You’re not alone! Many people have trouble distinguishing between these two. Although they collaborate to publish new websites on the internet, web developers and web designers play very different roles. To put these job possibilities into perspective, consider the construction of a house. To create a vision for the house, including the visual components, the space planning and layout, the materials, and the overall appearance and sense of the space, you need an architect. That said, to translate an idea into a building, you need construction professionals to take those architectural drawings and put them into practice. Image Source In a similar vein, web development and design work together to create websites. Let’s examine the major responsibilities and distinctions between web developers and web designers. Let’s get going, shall we? What Does a Web Designer Do?

A guide to data integration tools

CData Software is a leader in data access and connectivity solutions. It specializes in the development of data drivers and data access technologies for real-time access to online or on-premise applications, databases and web APIs. The company is focused on bringing data connectivity capabilities natively into tools organizations already use. It also features ETL/ELT solutions, enterprise connectors, and data visualization. Matillion ’s data transformation software empowers customers to extract data from a wide number of sources, load it into their chosen cloud data warehouse (CDW) and transform that data from its siloed source state, into analytics-ready insights – prepared for advanced analytics, machine learning, and artificial intelligence use cases. Only Matillion is purpose-built for Snowflake, Amazon Redshift, Google BigQuery, and Microsoft Azure, enabling businesses to achieve new levels of simplicity, speed, scale, and savings. Trusted by companies of all sizes to meet

2022: The year of hybrid work

Remote work was once considered a luxury to many, but in 2020, it became a necessity for a large portion of the workforce, as the scary and unknown COVID-19 virus sickened and even took the lives of so many people around the world.  Some workers were able to thrive in a remote setting, while others felt isolated and struggled to keep up a balance between their work and home lives. Last year saw the availability of life-saving vaccines, so companies were able to start having the conversation about what to do next. Should they keep everyone remote? Should they go back to working in the office full time? Or should they do something in between? Enter hybrid work, which offers a mix of the two. A Fall 2021 study conducted by Google revealed that over 75% of survey respondents expect hybrid work to become a standard practice within their organization within the next three years.  Thus, two years after the world abruptly shifted to widespread adoption of remote work, we are declaring 20