Security Awareness for a Secure coding culture
15th Jul, 2022
With the decent exposure I have had with Application Security, I know one thing for sure: Application Security is often ignored, under-supported and alienated. Whenever the topic is raised to the stakeholders (CISOs, Customers, Project development teams, etc.) to understand their perception of AppSec, the response we get is almost unanimous, that AppSec is complex, expensive, and infuriating. Lack of knowledge and visibility often leaves the stakeholders asking, "Where to position AppSec, and how do we go about it"? And often, those questions go unanswered or, more precisely, uncorrected. Why uncorrected? because as most of them comprehend, AppSec is not a puzzle piece that has to be placed before or after another piece; AppSec is the Tabletop on which the puzzle pieces should be placed and solved.
More than often, when we say Application Security, the questions that arise in our minds are "What is Software security?", "How much security are we talking about?" "Is there a particular set of Security standards to be followed for my software" "When will my application be completely SECURE?" Well, it may be difficult to provide 100% security protection to the software. However, it would be a great starting point if the team analyses the risks involved in their respective software and if they can take actions to mitigate those risks. As applications become more functionally capable, Application Security has become so much more complex, and so have the myths around it, giving it a face of a Kraken, something that cannot be conquered.
For too many years, security has been an afterthought in the Application development process. Developers were told their primary role was to quickly code, build and deploy. Those who could code faster and deliver features and functionalities with minimum bugs were top-notch performers. But a conscious cultural shift from 'Code functionally' to 'Code securely' must be recognized and promoted, NOW!
The Application security authority starts with understanding that an early start and a multi-faceted collaboration is the key. Before we start with the Analysis methods (SAST, DAST, IAST, SCA, etc.) or worry about the false positives and multiple reports, we must get the base right - One word, Security Awareness. Security awareness sessions are always underrated when it comes to it. It should not be just about AppSec Definition and knowing Application security jargon. There is so much more to it. Everyone invested in application development must GENUINELY understand and comprehend its purpose.
First stop under security awareness – Defining Application security standards and Practices by analyzing the risks attached to the respective software development, understanding the possible mitigation options, and adopting the best option accordingly. Secure coding standards must be identified based on the risk analysis and enforced at the beginning of the Application development life cycle. The standards must be established regardless of language, tools, and other technologies used in software development. As Secure coding standards are language & platform-independent, Secure coding best practices depend very much on the language and tools used. Without in-depth knowledge of the technologies and languages used, secure coding practices cannot be implemented because HOW we use the programming language decides the security coverage of the application.
When a developer thinks “I honestly do not know what secure coding or security software is “or “I don’t understand how an attacker exploits the code”, it will be simply impossible for them to code securely. So naturally, the second stop would be Training the talent. Establishing Secure code practices will not help if the team if they are not trained. Educating the workforce on Security Coding standards, best practices and tool usage is critical when writing a Secure code. Brainstorming on security requirements specific to the product/application and understanding common security practices followed in a similar industry and domain is an effective route for a holistic application security approach. It helps the team to understand the Sources of their software's vulnerabilities and the reasons that can lead to an application with Inadequate and penetrable Security.
Security awareness's third and final stop is understanding insecure coding techniques. The Developers should understand the insecure ways of coding while learning the best practices of Secure Coding. Build a common inventory with the most common coding errors with case studies and annotations so developers can take care of these while coding. Clear communication of errors that must be avoided will help developers build a secure, functional code rather than just a functional one.
Security Awareness is complete only when Secure Coding Guidelines and Best Practices are established, communicated, and adopted across the organization. Regular conversations about Application Security should be a norm; the latest trends, global standards, frequently reported errors creating vulnerabilities, etc., should be part of these conversations. Next, create a secure coding culture by assessing the developers based on how 'securely' functional their code is. Finally, certify the code keeping the secure coding standards and practices as the benchmark. A cultural shift is possible only when the entire community understands the purpose and adapts to the change.