While the relationship between software development and security hasn't always been harmonious, recent research suggests the two are becoming much more aligned. In one study, almost half of developers said they had prioritized learning or improving AppSec/secure programming since the pandemic began. In another study, 79 percent said the importance of secure code is increasing in prominence.
This long-awaited meeting of the minds is being driven in large part by astronomical increases in cyberattacks, which are happening on average every 39 seconds. Meanwhile, 60 percent of developers are releasing code two times faster than before. So, while developers are primarily motivated by creating great software, increasingly they are making efforts to ensure that development is complementary to security. The alternative — creating insecure code that puts attackers in the headlines — makes it imperative for developers to incorporate security wherever possible.
To improve alignment between development and security teams, individuals in the developer community can become security champions without being full-blown security professionals. For instance, the overwhelming majority of issues can be addressed by embracing good secure coding practices, integrating security testing into the software development lifecycle, and leveraging readily available scanning tools.
8 Tips for Building a Security-Oriented Mindset
Ultimately, developers can improve security by practicing several habits aimed at building a security-oriented mindset into the development process, including:
- Practice makes perfect: The old adage that you heard in kindergarten still applies today. Making sure that your build is secure can start with something as simple as familiarizing yourself with common security tools. You can also practice patching real code to train yourself to identify flaws early on — a great skill for any developer.
- Be (security) mindful: Your attitude toward security can impact not only your own thoughts and actions but also those of your peers and your organization. When you're mindful of security and take steps to increase the resiliency of your code, it helps to build awareness of the importance of secure coding and drive cultural change within your team.
- Learn from your mistakes: If a vulnerability is found in your code, take the initiative to find out when and where things went wrong. One of the best skills you can have for building software is to think like a hacker. Read about famous security flaws and how they happened, and apply that same thought process to learn from your mistakes on future projects. Famous cyber hacks include recent incidents involving SolarWinds and Microsoft Exchange.
- Know your enemy: Learning to think like a threat actor is key to knowing your enemy. You can deepen that knowledge by breaking things like a threat actor does. Getting to know your adversaries — including how they think and act — is a fundamental part of becoming a security-minded developer.
- Learn common security flaws: Injection flaws, broken authentication, cross-site scripting —these are only some of the most common security vulnerabilities. A whopping 76 percent of applications have at least one security flaw on the first scan. Learn about common security flaws, how to spot them quickly, and how to fix each one in your code. And remember that practice makes perfect.
- Slow and steady wins the race: There's no question that developers are under constant time constraints, especially with 85 percent of organizations admitting that they've released vulnerable code because of pressure to meet tight deadlines. But don’t let the need for speed stop you from performing early scans. It's always easiest to find and fix flaws early on in the process.
- Automate when possible: This includes automated code scanning in the integrated development environment (IDE), as well as making use of automated security tools. Automation saves time and expedites production.
- Secure open source code: It's no secret that 90 percent of software today is comprised of open-source code. But that third-party code can contain vulnerabilities that you pass on in your software production if you're not careful. Take time to review the version history and look at previous security issues for any open source code you're incorporating.
As cyberattacks continue to increase, organizations will, likewise, face increasing pressure to ensure the security of their software. And while there's no way to prevent 100 percent of attacks, developers can ensure that the build process benefits from a strong security mindset. Doing so not only strengthens your position as a developer but also makes you an invaluable asset to the organization as a whole.