Building Security Into Software Development: A FutureTalk

Remember when development and operations were two separate entities? Well, in the not-too-distant-future we’ll be asking the same question about dev and security. That was the takeaway from our latest FutureTalk, which explored the need for security concerns to become an integral part of the application-development process. In fact, with the rise of open source software and the shift towards continuous deployment, that need grows more pressing every day.

Moderated by New Relic Chief Information Security Officer Shaun Gordon, the panel featured three security experts. The first was John Stevens—internal CTO at Cigital and CTO at Codiscope—who has provided strategic direction and built security groups for corporations including Coca-Cola, EMC, Qualcomm, and Marriott. The second was Guy Podjarny, co-founder of Snyk.io who previously served as CTO at Akamai. Our third expert was Omri Iluz, formerly of Akamai, Contendo, and iPlay, currently co-founder and CEO of PerimeterX.

The three panelists brought a wealth of experience and offered varying perspectives on tools, methods, and best practices. But all agreed that the integration of development and security is not a matter of if but rather when and how.

Who Owns Open Source?

The evolution of open source software has been rapid and significant. Today, most apps are built (at least partially) from multiple OS packages. Unfortunately, John said, “there is no software nutrition label.” In other words, developers run the risk of making a given piece of OSS integral to their application without knowing exactly what’s inside. To mitigate this, John recommended seeking out the good security controls built into OS packages—controls which too often go overlooked. Also, he added, don’t underestimate the importance of using the latest version, patched and configured correctly.

Our FutureTalk security panel guests (left to right): Guy Podjarny, John Stevens, and Omri Iluz

For Guy, this raised the question of who exactly “owns” OS security. “Is it the part-time hero who made it, or you, the consumer?” Although the question could be debated at length, Guy’s position was firm: developers must take ownership of application security, regardless of which OS components they use to build it.

Omri agreed and emphasized the importance of education. The key, he said, is giving devs the tools and knowledge they require to build software that doesn’t need to be secured later. That’s truer today than ever, he said, since the only way to fix vulnerabilities now is in the code itself.

Fact: Your Code has Been Hacked

But how to persuade engineers to do security, too? It’s a big request, Guy said: being a security expert is a full-time job for a reason, and devs already have a lot on their plates. The first step is getting them to care.

Omri’s favorite method for doing just that is to show trainee engineers some real-life attacks. Once hacks stop being hypothetical, they become much more compelling. By giving developers the same stark warning he gave the FutureTalk audience—“Your code has been hacked in production, I guarantee it”—Omri brings them into the process. And if that doesn’t work, he points out the technical debt: “One minute saved by ignoring security equals ten minutes spent fixing your vulnerabilities later, in production.”

While demo apps do exist, designed to introduce devs to the kinds of hacks their code is going to face, Guy concurred that the best vulnerabilities to learn from are real bugs. “You watch NASCAR for the crashes,” John added, “and you learn security for the hacks.”

Ops and Optimists

John went on to say that the main thing holding developers back from truly embracing security is their inherent optimism. Under pressure to convert business ideas into application realities, devs learn to say yes to everything and to project positive outcomes. “Ops folks, on the other hand, are really good at thinking negatively because they’ve seen it break. Ask them what they need.”

In other words, if DevSec is the future, beginning with some good old-fashioned DevOps collaboration might be the quickest way to get there.

To hear the panel’s thoughts on “bug bounty” programs, learn what John means by “knowing the pile,” and discover the surprising truth about the most common vulnerability of all, watch the full FutureTalk in the video below: