In this Help Net Security interview, Karl Mattson, CISO at Endor Labs, discusses strategies for enhancing secure software development.
Mattson covers how developers can address vulnerabilities in complex systems, ways organizations can better support secure coding practices, and the role of languages and frameworks in secure development.
Modern software systems are increasingly complex. What strategies can developers adopt to address hidden vulnerabilities arising from this complexity?
Developers can capitalize today on a series of quite new strategies which significantly better address source code security, and which remove legacy barriers in the way of handling scale and complexity. A simple but important barrier to remove is context switching. Start by first giving developers security capabilities within the developer tools they are already using – e.g. IDEs and code repositories, and empower the developers to interact with security information within their native workflows of building and managing source code.
Next, we absolutely need to stop giving developers mountains of false positive vulnerabilities, and instead give findings which are true positive and that come with specific impact analysis of upgrade options. This kind of decision support allows the developer to move through a series of decisions quickly and correctly, with no wasted time and effort. Those days are behind us.
These technical enhancements can make a 99% reduction in time/effort to remediate vulnerabilities in source code. With that friction and effort removed, we have far greater capacity to handle complexity, focusing on address scale and complexity as functions of our product strategies.
Why do some development teams need help adhering to secure coding guidelines, and how can organizations better support their teams?
No two developers solve a problem or build a software product the same way. Some arrive at their career through formal college education, while others are self-taught and with minimal mentorship. Styles and experiences vary wildly. Equally so, we should expect they will consider secure coding practices and guidelines with similar diversity of thought.
Organizations must account for this wide diversity in its secure development practices – training, guidelines, standards. These may be foreign concepts to even a highly proficient developer, and we need to give our developers the time and space to learn and ask questions, with sufficient time to develop a secure coding proficiency. We can set an expectation for an end state of proficiency, but pointing fingers out of the blue at developers will have the opposite of its intended effect – we will lose their attention and their engagement. Secure coding is a journey, and our organizations should focus on supporting and measuring progress over time.
What measures can organizations take to consistently apply secure coding principles in a decentralized or remote work environment?
Best in class organizations have established ‘security champions’ programs where high-skilled developers are empowered to be a team-level resource for secure coding knowledge and best practice in order for institutional knowledge to spread. This is particularly important in remote environments where security teams may be unfamiliar or untrusted faces, and the internal development team leaders are all that much more important to set the tone and direction for adopting a security mindset and applying security principles. Development teams can use an event like a security hackathon as a remote team building exercise, and one that empowers teams to bond and improve in a productive way.
Are there specific programming languages or frameworks better suited for secure development? If so, why?
Yes, newer languages such as Rust and Go have several security-first principles, such as memory safety. The Django framework has built-in protections against SQL injection and cross site-scripting, which has plagued web app security for years. These are important enhancements, but ultimately the selection of language and framework has a rather small impact on the underlying security of the end software product.
An aspect of languages which arises time and again over the years is the underlying community of support – communities dedicated to the maintenance and quality of a language and framework continue to add new security features reliably. Meanwhile, frameworks and languages without strong communities tend to atrophy over time, which leads to more significant security issues.