Reach ’em and teach ’em–educating developers on application security

How are developers supposed to build security throughout the development lifecycle if they are not taught security at any stage of their education? Vulnerabilities exist because products made by developers who have close to no knowledge of security are hitting the market. 

Rather than accept the idea that software will never be 100 percent secure, academia and industry leaders can be more proactive and teach developers how to think about application security.

In a white paper, “App-Sec How-To Guide: Getting your Developers to Beg for Security” security vendor Checkmarx said, “The real secret, then, to getting developers excited about creating secure code is to use those techniques and tools that motivate them in other areas of their work: a way to visualize their work; providing a strong support system; giving solid feedback in a short timeframe; and allowing developers to learn not only from their own mistakes, but also from those developers around them.”

[ ALSO ON CSO: Code Security: A survival guide ]

Asaph Schulman, vice president of marketing at Checkmarx, said that focusing on security throughout the development process demands understanding the most common application layer security vulnerabilities. “SQL injection is one,” said Schulman. “Any teenager with a ‘Hacking for Dummies’ book can exploit and create huge damage with something so simple.”

Given the pressure of getting products to market, the trick is figuring out how to get developers to see security as part of their job.

“A lot of the blame goes to some of the old paradigms about how you do security. It was built on afterthought. You write your code with no consideration for security at any stage. Just before release, you bring in hackers to test, which creates a lot of tension between developers and security folks,” said Schulman.

Instead, developers need to learn how to push security testing to the design and development phases. “They write a piece of code, it gets tested for quality and security at the same time so that they get feedback within minutes or hours. There is only one problem to solve, so they can release code as fast as possible with this agile movement,” Schulman said.

The industry as a whole needs to educate developers about how to bring security testing to the earliest possible stages of development, and Schulman said, “The industry doesn’t do security any justice. They make developers think security is someone else’s job.”

It’s a well known fact that within any software development lifecycle, you want to catch any bug as early as possible, which is usually just prior to or after its release. “If you bring that forward to when that code is being created, it doesn’t need to go through the pen testing, so the cost is $80 per bug rather than after release when it’s more like $10k,” said Schulman.

What can be onerous for developers is understanding industry best practices can vary among organizations. There are, however, some general best practices that they need to learn.

First, said Schulman, “Never trust users to do what you think they are going to do. Sanitize and verify what you expect to be getting is what you received. Organizations have their own guidelines on how you need to handle inputs and outputs. Developers need to be aware of those.”

Executives from the top down can also advocate for integrating education programs, which some do through an external training company. Schulman said, “Those are often ineffective and developers hate them. It’s boring. They want something that is different where they are getting feedback and seeing how to avoid those problems in the future.”

Instead, he suggested some type of gamification like Checkmark’s “Game of Hacks,” which was intended to be an innovative marketing campaign but they keep getting approached by enterprises to customize the game for them.

“It’s fun and offers different ways to educate developers on secure coding. There is a set of five questions that show snippets of vulnerable code. You find the vulnerability. You can play with friends, and it is completely free,” Schulman said.

Being aware of security and knowing how to avoid the most common pitfalls in coding so that you can eliminate them before they happen is one way to avoid mistakes. All you can do is try to minimize your risk, and education is key toward that end.