We asked 19 executives who are involved with application security what are the skills that make someone good at developing secure applications.
Here's who we talked to:
Sam Rehman, CTO, Arxan Technologies
John Pavone, CEO, Aspect Security
Jon Gelsey, CEO, Auth0
Mark O’Neill, Vice President Innovation, Axway
Walter Kuketz, CTO, Collaborative Consulting
Rami Essaid, CEO, Distil Networks
Alexander Polyakov, CTO, ERPScan
Deena Coffman, CEO, IDT911 Consulting
Craig Lurey, CTO and Co-Founder, Keeper Security
Max Aulakh, CEO, MAFAZO
Jessica Rusin, Senior Director of Development, MobileDay
Kevin Swartz, Marketing Manager, NowSecure
Julien Bellanger, CEO and Co-Founder, Prevoty
Kevin Sapp, VP of Strategy, Pulse Secure
Chris Acton, Vice President of Operations, RiskSense Inc.
Amit Bareket, CEO, SaferVPN
Walter O’Brien, Founder and CEO, Scorpion Computer Services
Francis Turner, VP Research and Security, ThreatSTOP
Ari Weil, Vice President of Marketing, Yottaa
Here's what they had to say when asked "What are the skills that make someone good at developing secure applications?":
Curiosity, creativity beyond software, Developers are typically logical and step-by-step. Attackers are the opposite - very creative. Teach developers how attackers think. You need good development skills but you also need to have an abstract side.
Critical thinking. Have an understanding of concepts beyond what’s normal. More abstract thinking. Understand the bigger picture of the application. Understand the subscribed use and the unintended uses (i.e. what a hacker may do). It's "builders versus breakers" - developers are builders, hackers are breakers.
Think like a hacker. Ability to find and close backdoors.
Security experts were an adjunct to developers. Now developers are being trained to take on more responsibility and build secure a secure app to defend against bots and hacks. Have a security mindset.
Make a bad app first. Learn from mistakes. Microsoft comes up with great ideas but doesn’t think about what the bad guys might do with it. Think like a bad guy - make sure you can see the different uses for what you are creating - good and bad. Think about the use cases and the basic security elements to have in place. If you outsource to the cloud and connect to a database in the cloud, ensure all elements are secure. Have a holistic process to understand where all the bits are - especially in the cloud.
Tools help. Don’t reinvent the wheel. Use what’s available and tested. Understand the cloud environment. DevOps skill sets are important. Use the built in frameworks Apple and Google provide. Keep your system up to date. If you get out of date, you will have vulnerabilities. Treat all data as sensitive. Learn how to encrypt. Learn best practices for API calls using OLAF, not just passwords. Have controls within the organization - only give people access if they really need it.
Develop secure applications. Look for developer focused people with a passion for security. A good developer with a passion to learn. Once you understand the problem you can solve it. There are eight good security controls in every application. Demystify - you don’t need to know every hack. There are 755 common risks - you cannot keep up with all of them. Think about how to design securely.
Developers solve problems for customers. Nothing is inherently different. Good code versus not good code. Follow policy - if you don’t have a policy to guide the developer, it doesn’t matter. Need security professionals working with developers. Developers are creators, not security professionals. Security is not in the developer’s wheelhouse.
We tend to look for people that are active in the security field. For someone we'd want to hire, we look for passion and knowledge in secure app development. We looks for individuals that study security and make an effort to include it as part of their development techniques. There are plenty of places this can be shown, from studying forensics, security testing techniques, and secure development best practices such as those we've published on our website. In the development community, we always love to see responsible app developers that put security at the top of their priority list. Those types of individuals typically seek out products and services like what we offer that enable them to enhance the security of their mobile applications prior to release.
Top-notch developer skills. Awareness of the latest vulnerabilities. Aware of something in their own code that could be vulnerable. Rapidly evolving awareness affecting security. Critical for developers with an eye towards security to use best practices and stay up to date.
Having someone next to you - pair programming - two engineers code together. This produces greater awareness of bugs and security leaks. The developers give more thought to the issues of security and quality. There’s correlation between know-how and knowledge. Work in pairs with someone who has security knowledge.
Have a software development lifecycle in place that includes testing and vulnerability assessments. Use scanning software that performs both static and dynamic vulnerability assessments. API security testing after the fact. Understand the importance and advocate for it being part of the lifecycle. Don’t mix business logic with security. Have security as a separate function so you can change policies without changing code. It’s also important to be able to be audited and to understand the policies that are in place. You shouldn’t have to code for Openid Connect.
Attention to detail and discipline. Most important is intellectual curiousity - what would happen if?
Optimistic versus pessimistic coding. A brokerage house and a financial exchange have an agreed upon protocol financial interchange. If you assume they screw up everything and you’re going to get garbage, you will be prepared for it. Send garbage and see how the programmer responds. Set expectations, built something bulletproof and be pessimistic. Design by contract - instead of starting with code, begin by writing test cases. Write the test first. If you are unable to do so, you don’t have the requirements you need to write the code. If you hire a security firm and they find no problems, you don’t have the right security firm. I know one company whose CSO is in a different building and on a different floor from all the employees to maintain plausible deniability.
Attention to detail in development. The IT development team needs to implement a security policy and code and stay up to date with the latest changes and trends to ensure the development team is kept up to date. Balance with the business needs to maintain agility.
The ability to see through things. Don’t take things for granted. See problems as opportunities. How many different ways can I use this application? Have a very broad understanding of your craft. Be able to go from machine level to networking. This is a key issue when looking for talent. Show a constant interest in learning more. Think of security as an opportunity rather than something you have to deal with.
If you're an application security professional, what are the skills you think are important for someone to develop secure applications?
How about a developer that's been involved in application security?