How Devs Can Improve Security (Part 3)

To understand the current and future state of the cybersecurity landscape we spoke to and received written responses from 50 security professionals. We asked them, "What suggestions do you have for developers to improve the security of their applications and data?"

In part one, we learned that secure development practices, audits/scans/tests, and education/best practices were the top three things developers could do to improve security. In part two, our respondents suggested using the right tools, using REST APIs, partnering with security, and following proper governance. Here are all the other suggestions:

Other

• Ensure only authorized users have access to your sensitive applications and data by requiring users to use a second factor of authentication. If your product can’t support this, partner with a solution that can seamlessly add this requirement without requiring any changes. Such solutions are becoming available now and can help ensure the proper use of your sensitive applications and data.
• Security automation is the key to the future of DevOps and can accelerate security within the Agile process.
• With the understanding that security is essential for application trust and adoption, manufacturers are faced with a choice: attempt to harden security in-house, device by device, for the entire lifecycle of every product, or, offload the bulk of security onto the network that transmits data to and from their devices. We believe it is advantageous to shift as much of the security burden onto the network as possible.
  
  Doing so will decrease time to market for new devices and apps, increase user adoption, and lower the ongoing risk of securing 50 billion new devices that will be connected to the Internet. App developers, IoT manufacturers, and new products can choose to reinvent the wheel, or they can leverage a secure, global data stream network and take advantage of the massive economies that scaling such a service can offer.  
• Code quality is important. Run tools are essential to have good code. However, that alone is not enough. Developers need to think like an adversary. Understand what the application is going to do and think about how an adversary may use it. Don’t have default passwords. Think about how components in your environment connect with another component in another environment. Keep it as simple as possible. Fix vulnerabilities and understand open source and dependences. Think about the bigger picture.
• App development, particularly in the area of security, needs to be built with better UI’s that have layers of abstraction and turn really complex security features and requirements into something that’s easier to interact with and understand. The best applications will be those who find the right way to engage with users and provide the right layer of abstraction to simplify complexity. Think about and understand the markets you are serving. Enterprise solutions don’t translate to a site-by-site solution. When you try to squeeze down an enterprise solution into a small market, it gets expensive. You need different solutions based on the needs and nuances of the industry.
• Just as you take the point of view of the user into account when designing data flows, interfaces, and architecture, so you should with security. Ask yourself, “If I was the user, what security would I want at this point? What about this point? And what about this point?” You can go further and survey the pulse of the general public, as well as targeted customers/prospects. What sort of security experience do they wish to have? These are the kinds of questions that are just as vital as the workload itself.
• Develop applications and operate with a model that assumes that your environments aren’t secure. Use short-lived secrets, encrypt data in flight and at rest, and control who has access to which infrastructure, systems of record, etc.
  

This is the third of three articles which share what IT professionals thought developers could be doing to improve the security of their code and applications. Be sure to take a look at Part 1 and Part 2 for more suggestions.

Here’s who shared their insights:

• Josh Mayfield, Director of Security Strategy, Absolute
• Jim Souders, CEO, and Anne Baker, V.P. of Marketing, Adaptiva
• Steven Aiello, security and compliance solutions principal, AHEAD
• Gadi Naor, CTO and Co-founder, Alcide
• Omer Benedict, Senior Director of Product Management, Aqua Security
• Tom Maher, CTO, Asavie
• Gaurav Banga, CEO and Founder, Balbix
• Nitzan Miron, V.P. Product Management, Application Security Services, Barracuda
• Cam Roberson, Director of the Reseller Channel, Beachhead Solutions
• Anurag Kahol, CTO, Bitglass
• Syed Abdur, Director of Product Management and Design, Brinqa
• Laura Lee, Executive Vice President of Rapid Prototyping, Circadence
• Andrew Lev, CEO, Cliff Duffey, Founder and President, Bethany Allee, Vice President Marketing, Cybera 
• Brian Kelly, Head of Conjur Engineering, CyberArk
• Doug Dooley, COO, Data Theorem
• Jason Mical, Cyber Security Evangelist, Devo Technology
• OJ Ngo, CTO, DH2i
• Tom DeSot, EVP CIO, Digital Defense, Inc.
• Chris DeRamus, Co-founder and CTO, DivvyCloud
• Alan Weintraub, Office of the CTO, DocAuthority
• Tom Conklin, CISO, Druva
• Anders Wallgren, CTO, Electric Cloud
• Satish Abburi, founder, Elysium Analytics
• Sean Wessman, Americas Cyber Markets, Sectors and Business Development Leader, EY
• Ambuj Kumar, Co-founder and CEO, Fortanix
• Josh Stella, co-founder and CTO, Fugue
• Kathy Wang, Senior Director of Security, GitLab 
• Amith Nair, VP Product Marketing, HashiCorp
• Mike Puglia, Chief Customer Marketing Officer, Kaseya
• Nathan Turajski, Director of Product Marketing, Micro Focus
• Gary Duan, Chief Technology Officer, NeuVector
• Gary Watson, CTO and Founder, Nexsan
• Stephen Blum, CTO and Co-founder, PubNub
• Chuck Yoo, President, Resecurity
• Roey Eliyahu, CEO and Co-founder, Chris Westphal, Head of Product Marketing, Salt Security
• Sivan Rauscher, CEO and Co-founder, SAM Seamless Networks
• Igor Baikalov, Chief Scientist, Securonix
• Oege de Moor, CEO and Co-founder, Semmle
• Dana Tamir, VP Market Strategy, Silverfort
• Logan Kipp, Technical Architect, SiteLock
• Albert Zenkoff, Security Architect, Software AG
• Tim Brown, V.P. Security Architecture, SolarWinds
• Todd Feinman, Co-founder and Chief Strategy Officer, Spirion
• Tim Buntel, VP of Application Security Products, Threat Stack
• Andrew Useckas, Founder and CTO, ThreatX, Inc.
• Joseph Feiman, Chief Strategy Officer, WhiteHat Security
• Vincent Lussenburg, Director of DevOps Strategy, XebiaLabs
• Robert Hawk, Operations Security Lead, xMatters