DZone
Thanks for visiting DZone today,
Edit Profile
  • Manage Email Subscriptions
  • How to Post to DZone
  • Article Submission Guidelines
Sign Out View Profile
  • Post an Article
  • Manage My Drafts
Over 2 million developers have joined DZone.
Log In / Join
Refcards Trend Reports
Events Video Library
Refcards
Trend Reports

Events

View Events Video Library

The Latest Software Design and Architecture Topics

article thumbnail
Appsec and Technical Debt
Technical debt is a fact of life for anyone working in software development: work that needs to be done to make the system cleaner and simpler and cheaper to run over the long term, but that the business doesn't know about or doesn't see as a priority. This is because technical debt is mostly hidden from the people that use the system: the system works ok, even if there are shortcuts in design that make the system harder for developers to understand and change than it should be; or code that’s hard to read or that has been copied too many times; maybe some bugs that the customers don’t know about and that the development team is betting they won’t have to fix; and the platform has fallen behind on patches. It’s the same for most application security vulnerabilities. The system runs fine, customers can’t see anything wrong, but there’s something missing or not-quite-right under the hood, and bad things might happen if these problems aren't taken care of in time. Where does Technical Debt come from? Technical debt is the accumulation of many decisions made over the life of a system. Martin Fowler has a nice 2x2 matrix that explains how these decisions add to a system’s debt load: I think that this same matrix can be used to understand more about where application security problems come from, and how to deal with them. Deliberate Decisions Many appsec problems come from the top half of the quadrant, where people make deliberate, conscious decisions to short cut security work when they are designing and developing software. This is where the “debt” metaphor properly applies, because someone is taking out a loan against the future, trading off time against cost – making a strategic decision to save time now, get the software out the door knowing that they have taken on risks and costs that will have to be repaid later. This is the kind of decision that technology startups make all the time. Thinking Lean, it really doesn't matter if a system is secure if nobody ever uses it. So build out important features first and get customers using them, then take care of making sure everything’s secure later if the company lasts that long. Companies that do make it this far often end up in a vicious cycle of getting hacked, fixing vulnerabilities and getting hacked again until they rewrite a lot of the code and eventually change how they think about security and secure development. Whether you are acting recklessly (top left) or prudently (top right) depends on whether you understand what your security and privacy obligations are, and understand what risks you are taking on by not meeting them. Are you considering security in requirements and in the design of the system and in how it’s built? Are you keeping track of the trade-offs that you are making? Do you know what it takes to build a secure system, and are you prepared to build more security in later, knowing how much this is going to cost? Unfortunately, when it comes to application security, many of these decisions are made irresponsibly. But there also situations when people don’t know enough about application security to make conscious trade-off decisions, even reckless decisions. They are in the bottom half of the quadrant, making mistakes and taking on significant risks without knowing it. Inadvertent Mistakes Many technical debt problems (and a lot of application security vulnerabilities) are the result of ignorance: from developers not understanding enough about the kind of system they are building or the language or platform that they are using or even the basics of making software to know if they are doing something wrong or if they aren't doing something that they should be doing. This is technical debt that is hidden even from people inside the team. When it comes to appsec, there are too many simple things that too many developers still don’t know about, like how to write embedded SQL properly to protect an app from SQL Injection, or how important data input validation is and how to do it right, or even how to do something as simple as aForgot Password function without messing it up and creating security holes. When they’re writing code badly without knowing it, they’re in the bottom left corner of the technical debt quadrant – reckless and ignorant. But it’s also too easy for teams who are trying to be responsible (bottom right) to miss things or make bad mistakes, because they don’t understand the black magic of how to store passwords securely or because they don’t know about Content Security Policy protection against XSS in web apps, or how to use tokens to protect sessions against CSRF, or any of the many platform-specific and situation-specific security holes that they have to plug. Most developers won’t know about these problems unless they get training, or until they fail an audit or a pen test, or until the system gets hacked, or maybe they will never know about them, whether the system has been hacked or not. Appsec Vulnerabilities as Debt Thinking of application security vulnerabilities as debt offers some new insights, and a new vocabulary when talking with developers and managers who already understand the idea of technical debt. Chris Wysopal at Veracode has gone farther and created a sensible application security debt model that borrows from existing cost models for technical debt, calculating the cost of latent application security vulnerabilities based on risk factors: breach probability and potential breach cost. Financial debt models like this are intended to help people (especially managers) understand the potential cost of technical debt or application security debt, and make them act more responsibly towards managing their debt. But unfortunately tracking debt costs hasn't helped the world’s major governments face up to their debt obligations and it doesn't seem to affect how most individuals manage their personal debt. And I don't think that this approach will create real change in how businesses think of application security debt or technical debt, or how much effort they will put in to addressing it. Too many people in too many organizations have become too accustomed to living with debt, and they have learned to accept it as part of how they work. Paying off debt can always be put off until later, even if later never comes. Adding appsec vulnerabilities to the existing debt that most managers and developers are already dealing with isn't going to get vulnerabilities taken care of faster, even vulnerabilities that have a high “interest cost”. We need a different way to convince managers and developers that application security needs to be taken seriously.
Updated October 5, 2022
by Jim Bird
· 10,195 Views · 1 Like
article thumbnail
Secure By-Design Storage for Your SCM
The widely adopted SCM tools we use today, GitHub and Gitlab, are built on the dated architecture and design of git, but this has some security gaps we'll explore.
October 4, 2022
by Avi Mastov
· 5,001 Views · 1 Like
article thumbnail
Observability Is Cultural
In order to leverage observability, we need a significant shift in our corporate culture that encapsulates the entire company and goes beyond the tools.
October 4, 2022
by Shai Almog DZone Core CORE
· 4,534 Views · 4 Likes
article thumbnail
Easily Update and Reload SSL for a Server and an HTTP Client
In this tutorial, learn how to update and reload your SSL configuration whenever needed without restarting your server or recreating your HTTP client.
October 4, 2022
by Hakan Altındağ
· 11,230 Views · 4 Likes
article thumbnail
O11y Guide: Who Are the Cloud-Native Observability Players?
Continue on a journey into the world of cloud-native observability: go out onto the playing field to understand who the players are and what teams they form.
Updated October 4, 2022
by Eric D. Schabell DZone Core CORE
· 7,036 Views · 2 Likes
article thumbnail
AWS Cognito Overview and Step-By-Step Integration
Explore the difference between two well-known Auth building methods: AWS Cognito and JSON Web Token. Plus, take a look at the AWS Cognito application process.
October 4, 2022
by Tetiana Stoyko
· 4,936 Views · 1 Like
article thumbnail
The Art of Deploying a Service Mesh
Check out the benefits of deploying a service mesh, popular tools for deploying a Service Mesh, and more here in this article.
October 4, 2022
by Ruchita Varma
· 7,091 Views · 1 Like
article thumbnail
Kubernetes Security: 10 Best Practices From the Industry and Community
One of the best ways to tighten your Kubernetes security is by implementing ten tactics that have become industry standard.
October 4, 2022
by Olesia Pozdniakova
· 4,049 Views · 1 Like
article thumbnail
The Importance of Monitoring in the Kubernetes ERA!
Kubernetes monitoring helps to identify problems within a Kubernetes cluster. Know more about Kubernetes monitoring and why it is important here in this blog!
October 3, 2022
by Ruchita Varma
· 2,893 Views · 1 Like
article thumbnail
Go CDK! What This Means for the World of IaC
CDK has landed, and the AWS community is hyped, but what exactly is CDK, how it works, and what does it mean for the world of Infrastructure-as-Code?
October 3, 2022
by Roy Tal
· 2,929 Views · 1 Like
article thumbnail
How To Validate Names Using Java
Gain context of three separate API solutions which can be used to validate name input fields within an application as you follow along with this demonstration.
October 3, 2022
by Brian O'Neill DZone Core CORE
· 9,042 Views · 4 Likes
article thumbnail
Install Docker, Kubernetes and Minikube on Linux Mint
Docker container packages up the code of an application and all its dependencies so that the application can run unchanged in any environment.
October 3, 2022
by Eugen Hoble
· 9,801 Views · 2 Likes
article thumbnail
Using CockroachDB CDC With Azure Event Hubs
This tutorial is an attempt to integrate CockroachDB CDC with Azure Event Hubs via our existing Kafka support.
October 3, 2022
by Artem Ervits DZone Core CORE
· 5,001 Views · 1 Like
article thumbnail
Managing Application Dependencies in the Cloud: Strategies and Best Practices
This article explains the basics of application dependency mapping, its importance in cloud environments and covers four critical best practices.
October 3, 2022
by Gilad David Maayan
· 4,668 Views · 1 Like
article thumbnail
Docker Introduction, Architecture, and Command Details
Its primary focus is to automate the deployment of applications inside software containers and the automation of operating system-level virtualization on Linux.
October 3, 2022
by Jaydeep Patil
· 4,360 Views · 4 Likes
article thumbnail
Best Practices for Building a Cloud-Native Data Warehouse or Data Lake
Blog series about Data Warehouse vs Data Lake vs Data Streaming - Part 5: Best Practices to Build Cloud-Native Data Warehouse or Data Lake.
September 30, 2022
by Kai Wähner DZone Core CORE
· 7,794 Views · 3 Likes
article thumbnail
Embedding a Microservice Into Another
Embedding a microservice into another is not a common practice, but it could open to new ways for developing service-oriented applications.
September 30, 2022
by Claudio Guidi DZone Core CORE
· 11,004 Views · 4 Likes
article thumbnail
EDI Integration Platforms: Benefits and Limitations
Find out how companies can leverage EDI integration solutions to drive their business forward. Also, explore the potential limitations posed by EDI.
September 30, 2022
by Chandra Shekhar
· 6,935 Views · 2 Likes
article thumbnail
Docker Desktop vs Rancher Desktop
Learn more about Docker desktop and rancher desktop.
September 29, 2022
by Matt Farina
· 6,989 Views · 2 Likes
article thumbnail
Getting Started With Docker: 5 Easy Steps
Docker is synonymous with DevOps. What is Docker? How can you learn Docker? Let’s find out in this post.
September 29, 2022
by Ranga Karanam
· 8,204 Views · 2 Likes
  • Previous
  • ...
  • 346
  • 347
  • 348
  • 349
  • 350
  • 351
  • 352
  • 353
  • 354
  • 355
  • ...
  • Next
  • RSS
  • X
  • Facebook

ABOUT US

  • About DZone
  • Support and feedback
  • Community research

ADVERTISE

  • Advertise with DZone

CONTRIBUTE ON DZONE

  • Article Submission Guidelines
  • Become a Contributor
  • Core Program
  • Visit the Writers' Zone

LEGAL

  • Terms of Service
  • Privacy Policy

CONTACT US

  • 3343 Perimeter Hill Drive
  • Suite 215
  • Nashville, TN 37211
  • [email protected]

Let's be friends:

  • RSS
  • X
  • Facebook
×