What I wish I knew about application security when I started programming

Software developers are creative problem solvers. Their job is to build functioning applications, and they deal with rapid changes — in technologies, tools, and programming languages — as the landscape evolves and the development velocity accelerates.

A key part of the development process is ensuring that the products delivered meet user needs and the goals of the business. And while they may not always be thinking about security, developers are, in fact, on the front lines of building secure applications.

Why is application security crucial?

Some developers don’t think about application security because it seems like something that happens outside their control and their reach. Some don’t have adequate security training and are not aware of what’s required to build a truly secure application.

And in fact, security threats are always evolving, and information from a training session can quickly become out-of-date. Or it might be that because the organisation already has some level of security (like a firewall, web application firewall, or endpoint protection), they think they don’t have to worry about building security into their applications.

Unfortunately, for many global organisations, this lack of security awareness means that applications might be built with vulnerabilities that make it easier for bad actors or cyber attackers to breach the system and gain access to sensitive data. Security testing is a critical step in every development process, but when issues are not identified until after the application is in production or has been released, security teams have a harder job.

They have to work with the developers to repair the code, causing significant delays. Developers want to build flawless apps, but no matter how excellent the functionality may be, it is not possible for any app to be perfectly secure. The goal, for both developers and the security team, is to make it harder and less profitable for someone to break in.

Shifting left

With today’s rapid development timelines — hours and days instead of weeks/months — it is no longer an option for anyone along the software development life cycle (SDLC) to not be considering security. DevOps teams need to build in processes to secure the apps at the earliest stages of the SDLC and have enough competency in app security to do basic tasks.

They also should be able to recognise when a security issue requires specific domain knowledge, so they can call in the relevant expertise to address the issue.

That is the shift to the left: finding and fixing bugs early in the development process instead of waiting until post release testing. When you consider that the average cost of a breach in 2022 is US$ 4.35 million, and that 83% of organisations have experienced more than one breach, it’s clear that fixing vulnerabilities and bugs early in the development cycle is the most cost-effective, and potentially reputation saving, way to go.

To make that shift, firms need to build security into the entire SDLC. There are a variety of automated app security tools that support developers and don’t interrupt this development timeline. These tools enable developers to fix vulnerabilities at the point they are identified, when they are still working on the code and it’s much easier to make the change.

What developers need to know

A developer’s main job is to create features that achieve the goal of the application. That said, a developer’s mindset is mainly focused on building a useful product. To be able to develop truly secure applications, there are several skills that developers need in addition to their engineering knowledge and focus on functionality. This includes basic security concepts and use cases for security technologies, and how those relate to their company.

Developers need to understand how to prevent threats. But this can be hard because they think about building things, not breaking things. Learning to think about how someone might break the system means knowing all the things that could go wrong — including the components and dependencies in the software supply chain, and any known vulnerabilities.

Developers also need an understanding of what security testing is and what it can and can’t do. They also need to understand what happens during security testing — what the test is looking for, how vulnerabilities are prioritised, and how issues are mitigated.

Understanding security best practices, like patching the software and systems, automating routine tasks, and enforcing least privilege, serves the development team well. Sticking to the fundamentals and keeping security top-of-mind helps reduce the risk of a cyberattack.

Allon Mureinik is the Senior Manager for Software Engineering at Synopsys Software Integrity Group.