Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

3/14/2013
01:32 AM
50%
50%

Constructive Security Training For Application Developers That Works

Talk to developers in their language-code and make security ramifications visible so they have a reason to improve their habits

Don't believe the lie that developers don't care whether their application code causes expensive vulnerabilities for their organizations. If the dev team is apathetic, then chances are that the security team and IT leadership aren't giving them a reason or the means to care, application security pundits say.

"If you ask any developer, 'Hey, do you want to write code that is going to potentially cause millions of dollars of losses for the company?' most of them are probably going to say no," says Bill Pennington, chief strategy officer of WhiteHat Security.

The problem is that much of today's security testing and training isn't tailored to suit the way developers think and do their jobs, says Ed Adams, CEO of Security Innovations, who agrees that developers want to write high-quality code.

[How can you start instituting a secure software development life cycle? See 10 Commandments Of Application Security.]

"Remember that most software developers are engineers. If you're asking them to do something, give them a reason why," he says. "And then give them the method to do what you ask."

For example, today a lot of security pros think it is good enough to leave the dev team with a policy statement along the lines of, "Write all Web applications so they're not vulnerable to common threats on OWASP's Top 10 list."

"That's great, but it means nothing to a developer," Adams says, explaining that it leaves the developer to figure out what the top 10 is, then drill down into each statement on the list and try to figure out how that actually applies to the way they code applications.

It's a pet cause for Romain Gaucher, lead security researcher for Coverity, who says that at the moment, security people don't give developers complete advice that they can apply right away in their work environments.

"Security people should be able to talk to developers with code," he says. "They should do it with code examples and how to actually do the thing properly, not with very generic advice."

This could be a problem for some security professionals who are usually not developers by trade, says Adams, who adds that security training should come from developers who can speak the language of their brethren.

"If it isn’t a developer doing the training, you’re bound to get questions that can’t be answered, which will frustrate the developers even further," he says.

In addition to taking this more pragmatic approach to offering advice, organizations should also be seeking ways to make security problems and goals more visible to developers on a day-to-day basis. In the hunt for greater testing efficiency -- a good thing -- many organizations have done a lot to obscure security from the developer's line-of-sight by using frameworks, prewritten libraries, and routines for things like input sanitization, authentication, and cryptography, Adams says. That's not very conducive to developer training.

"That’s a good way to ensure developers are doing the right thing. But you can't prewrite everything. Developers still have to write integration code to tie in the business logic, not to mention the rest of the functionality, and it is very easy to write insecure code if you aren't trained properly," Adams says. "The implementation of security during development can 'feel' invisible; however, implications and importance of security should be quite visible to developers."

Nick Galbreath, vice president of engineering for IPONWEB, says he strives to make security more visible among the developers at his organization. One of the big ways to do that is by giving developers regular data from security tools about the types of attacks hitting their application infrastructure so they can see what they're up against.

"Instrumenting real-time graphs like SQL injection, cross-site scripting, and all of the garden variety junk that comes in from scanners actually educates everyone -- management and developers," he says. "If you start instrumenting it so you can see these probes and attacks come in, developers are actually pretty interested in it, and it really is a great way of engaging people."

But don't just give them real-time information feeds to raise awareness. Also consider crunching the data with analysis that shows them the most common security issues and tying them to root causes within the code.

"There's a bazillion things you can screw up when writing code or deploying applications," says David Mortman, chief security architect for enStratus. "So if you can, start measuring where you're screwing up and how you're screwing up."

Not only can this improve the way that code is developed, but also how it is implemented.

"There's no point in spending a lot of time talking about SQL injection if everything is cross-site scripting [in your environment]," he says. "And there's no point in harassing developers who were writing code securely if the problem is that the ops keep screwing up the configuration files or something like that. If you're going to improve things you have to know where you're breaking things first."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
marktroester
50%
50%
marktroester,
User Rank: Apprentice
3/18/2013 | 12:46:26 PM
re: Constructive Security Training For Application Developers That Works
Thanks for the interesting article, this is definitely an important topic. In addition to the recommendations that were made relating to custom code, we have found that it is critical to manage the components that are used to build the application. Our research shows that modern applications are made up of 80%+ of components, many of them open source. But back to the developer - the thing that needs to happen is that the developer needs the information to make good security decisions integrated directly in the tools they use today - they shouldn't have to pay a security tax by learning yet another tool (most of which are designed for security experts). From a component perspective, it's about providing them guidance about the best open source components to use, and it'a about providing monitoring and remediation support throughout the entire development lifecycle and production environments.

Mark Troester
www.sonatype.com
@mtroester:twitter-
Where Businesses Waste Endpoint Security Budgets
Kelly Sheridan, Staff Editor, Dark Reading,  7/15/2019
US Mayors Commit to Just Saying No to Ransomware
Robert Lemos, Contributing Writer,  7/16/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-17210
PUBLISHED: 2019-07-20
An issue was discovered in PrinterOn Central Print Services (CPS) through 4.1.4. The core components that create and launch a print job do not perform complete verification of the session cookie that is supplied to them. As a result, an attacker with guest/pseudo-guest level permissions can bypass t...
CVE-2019-12934
PUBLISHED: 2019-07-20
An issue was discovered in the wp-code-highlightjs plugin through 0.6.2 for WordPress. wp-admin/options-general.php?page=wp-code-highlight-js allows CSRF, as demonstrated by an XSS payload in the hljs_additional_css parameter.
CVE-2019-9229
PUBLISHED: 2019-07-20
An issue was discovered on AudioCodes Mediant 500L-MSBR, 500-MBSR, M800B-MSBR and 800C-MSBR devices with firmware versions F7.20A to F7.20A.251. An internal interface exposed to the link-local address 169.254.254.253 allows attackers in the local network to access multiple quagga VTYs. Attackers can...
CVE-2019-12815
PUBLISHED: 2019-07-19
An arbitrary file copy vulnerability in mod_copy in ProFTPD up to 1.3.5b allows for remote code execution and information disclosure without authentication, a related issue to CVE-2015-3306.
CVE-2019-13569
PUBLISHED: 2019-07-19
A SQL injection vulnerability exists in the Icegram Email Subscribers & Newsletters plugin through 4.1.7 for WordPress. Successful exploitation of this vulnerability would allow a remote attacker to execute arbitrary SQL commands on the affected system.