Forrester Research: Show, Don’t Tell, Your Developers How To Write Secure Code
As a security practitioner or leader, this complimentary report from Forrester can help you envision a new role for engineering teams in your Application Security program and reap the benefits of a more robust code security posture!
Below are some highlights from the report, with our comments.
Your developers never took a security exam
Don’t act surprised. The Forrester research team looked at the TOP 50 undergraduate Computer Science programs in the US and found that none of them required students to take web application security or secure software design classes.
The same students of these programs would enter the job market without security training unless they took an elective course. And they’re also probably writing (unsecure) code at your company!
Our take: As you hire new developers, consider how to incorporate code security training into their onboarding programs. Don’t forget your more experienced or senior developers; they, too, need continuous training throughout their careers.
A new generation of AppSec tools to the rescue
What the Computer Science (CS) programs didn’t teach your developers, best-in-class Application Security testing tools can do. Whether it’s secrets detection, SAST, DAST, or SCA, look for tools that enrich their alerts with good remediation advice for developers or even go as far as including brief “in-context” training modules.
Our take: The best tools should not only pull developers closer to the vulnerability remediation process but also help prevent them in the future.
Don’t swim against the tide
It would be best if you worked within developer constraints to empower secure coding in your organization. All day long, developers are moving up and down the software development lifecycle and going deep and wide on it, so they don’t have much time to spend on security.
Make sure the Application Security tools you select can implement quality gates that don’t feel like a slowdown and display scan results in the developer’s IDE or pull requests.
Our take: Security tools that bring development speed to a halt will be shunned by developers. Avoid them at all costs.
Don’t sleep on the security risks of low-code
Low-code promises to make development much more accessible, spurring a new generation of “citizen developers” empowered to build internal tools and all sorts of apps without the help of engineers.
Low-code platforms rely one way or another on code and also happen to generate code. It’s just a level of abstraction more profound for the users building applications on top of these platforms, so you will still need to test the output for misconfigurations and vulnerabilities and ensure you have the right policies in place to avoid exposing any sensitive data.
Our take: The risk is two-fold here; end users may not be aware of the weaknesses they are introducing when developing their low-code applications. At the same time, low-code applications could be exposed to third-party vulnerabilities from the vendor’s codebase itself. Think about it.
That’s it for now; we don’t want to spoil you any further. There’s a lot more to learn in the complimentary report from Forrester!
*** This is a Security Bloggers Network syndicated blog from GitGuardian Blog - Automated Secrets Detection authored by Ziad Ghalleb. Read the original post at: https://blog.gitguardian.com/forrester-research-show-dont-tell-your-developers-how-to-write-secure-code/
