We asked 19 executives who are involved with application security what developers need to keep in mind when working on application security.
Here's who we talked to:
Sam Rehman, CTO, Arxan Technologies
John Pavone, CEO, Aspect Security
Jon Gelsey, CEO, Auth0
Mark O’Neill, Vice President Innovation, Axway
Walter Kuketz, CTO, Collaborative Consulting
Rami Essaid, CEO, Distil Networks
Alexander Polyakov, CTO, ERPScan
Deena Coffman, CEO, IDT911 Consulting
Craig Lurey, CTO and Co-Founder, Keeper Security
Max Aulakh, CEO, MAFAZO
Jessica Rusin, Senior Director of Development, MobileDay
Kevin Swartz, Marketing Manager, NowSecure
Julien Bellanger, CEO and Co-Founder, Prevoty
Kevin Sapp, VP of Strategy, Pulse Secure
Chris Acton, Vice President of Operations, RiskSense Inc.
Amit Bareket, CEO, SaferVPN
Walter O’Brien, Founder and CEO, Scorpion Computer Services
Francis Turner, VP Research and Security, ThreatSTOP
Ari Weil, Vice President of Marketing, Yottaa
Here's what they had to say when asked "What do developers need to keep in mind when working on application security?":
Read DZone’s articles on best practices. If you do decide to do it yourself, study the best practices and do not try to build from scratch.
If you are leveraging open source, run through static code analyzers to look for quality issues. Dead code can lead to security problems. Security correlates with quality. There are a lot of free resources developers just need to use them. Join Open Source Web Application Security Project (OSWASP) a worldwide non-profit promoting the development of application security - how to write procedures and functions.
Everything that goes through code review needs to be tested for security. Every development needs to be tested manually and via automated testing with the findings shared with the entire team. Use third-party black-box testing to simulate attacks. Bring the process into the organization. Evangelize a security program into the organization. Senior developers may lead this effort but their must be buy-in at every level. Employees will find loopholes to minimize time and resources. Need to put in checks and balances testing to ensure process is being implemented and is effective. Record everything that has been fixed. Track fixes over time to identify trends of where breakdowns are occurring. Understand flaws, aggregate over time, document solutions, understand priorities, keep a running list of how to avoid in the future, and a pattern of code practices that prevent the occurrence of the problem.
Develop talents in security. Developers who understand security gives them a good competitive advantage. If they want to grow, keep training - security will always be important. Do not put backdoors in what you are building, it’s a bad practice that should not be tolerated.
Every application is different. You can’t be a security expert and a developer. Have the security team give developers the tools, frameworks and infrastructure to build a secure app.
B2B2C portals are being built. As such, businesses are undergoing a fundamental digital transformation exposing apps directly to partners and customers. People accessing the apps may or may not be employees. Developers need to develop a security mindset. Don’t build it yourself. Use third party services, secure storage for user accounts. Get on board with a security website. Don’t be intimidated. Learn the fundamentals of security. Understand the environment your app will run in.
Don’t trust anything that’s not on the same computer. Anything you get from outside you need to validate. Encrypt anything that leaves you - data communications between apps and databases, everything that comes from a client. Have a mindset of what could someone do to hurt me - ensure no one can wipe your data, have lots of alerts and notifications when things are going wrong. You need an error channel when something fails. Make sure you get an alert when data is corrupt. Don’t assume that data is always available.
It’s easy to ignore. Look at the data and think about what could happen if it’s not kept private. During the development cycle, allocate time for security development - it’s easier to do this while you’re building than it is to have to come back and do it over. Everyone in a small company has to “own” security.
Because of these factors and the changing infrastructure footprint that includes more cloud resources and aaS solutions, technical folks (IT, ops, developers) are forced to consider a layered approach to filtering attacks down to the most granular level before on-prem resources take the brunt of the packet sniffing/inspection and deep interrogation techniques to ensure speed and scalability.
Take a design/implementation approach to application security. Running static and dynamic analysis and getting flooded with flaws is overwhelming. Make it part of the development - authentication, access, control, audit are designed into the application from the beginning.
Spend time looking at the fundamentals of security. Look at OWASP top 10 or 25 security vulnerabilities. Understand the landscape you’re working in (e.g. PHP or Ruby) and be aware of how they’re being attacked. You cannot expect developers to get security on their own. They must work with, be collaborative with, security.
Be aware of how rapidly the threat environment is evolving. The team needs to stay up to speed. See how many apps may be vulnerable. It’s easier with security by design. The developer and the team need to use the latest tools and best practices.
Three steps: 1) The network verifies you are implementing a secured connection properly with SSL, certified, eliminate middle man attacks. 2) Persistence with regards to password management that are saved in a consistent and proper way. 3) Permissions - specific paths in the software are backed by permissions for admins, users, etc.
Have security as part of your development process with static and dynamic testing. When using the cloud, think about how you’re managing the keys - do you bake the key into the app and hope no one can find it or do you have a dedicated gateway infrastructure? Think about how to design APIs hypermedia style - what comes first. Keep in mind how applications will be used so you’re able to see when they are being misused.
You’re laying a foundation. Following the principles of security will help you evolve with an ever changing security landscape.
1) Be pessimistic, assume the worst. 2) Managers spend enough money and allow enough time to test. Do not let the same people write and test. Developers build, testers break - they have a different mentality. 3) Recognize the importance of configuration management to ensure you’re delivering the right package to the right person at the right time. Configuration management is not a side hobby. You can improve productivity by 30% if you give one person the job of ensuring a clean deployment. This relates to security because things are wrong and everything should be secure. Open source has vulnerabilities in it. Politics are a problem - you can be right or you can be popular.
Wholly embrace security as a part of their responsibility. Learn the latest coding in detail. Sharpen the sword on the latest techniques to prevent bad security practices. Commit to security, it’s importance and how to write secure code. Be curious. Put you black hat on and think how you’d hack your app.
Think about security as a design element. The features of your application mean nothing if they are not secure. Don’t assume security means you can’t innovate. Use security to drive innovation. Factor security into design time and take it seriously.
What has your experience been with application security?
What advice would you give someone who's just getting started with it?