What can developers learn from toy building blocks in the modern era of app development? asks Maty Siman, Checkmarx founder and CTO.
Software development has evolved beyond recognition over recent years. Thanks to transforming and evolving market demands and increased user experience requirements, businesses have been forced to create and adopt more innovative solutions, adapt their web and app development processes, and focus more energy on software security.
As part of these developments, and the changing world we live in, the role of software developers is also evolving. While developers, ten to 15 years ago, used to write all their own code, now they don’t have to. Instead, they take tools and resources from different places, and use them as a basis, allowing them to focus less on creating software, and more on innovation, user experience and unique selling points which will make their applications stand out. It’s the new era of modern application development.
One way of summarising this is by using Lego bricks as a proxy. Modern application development, when broken down, isn’t too dissimilar to using toy blocks to build a bridge. For example, to build a secure bridge, it is not sufficient to focus on each brick individually to determine if the bridge is strong enough. The builder must understand the bigger picture, or the ‘architecture.’
By moving away from writing their own code, developers have to combine different elements with architecture, which includes looking at the full infrastructure to see just how stable the design really is. What we are talking about here is the basis of modern application development.
With coding, as with building blocks, it’s important for developers to have a view of the bigger picture. Developers now want to build flexible applications by simply snapping components together – this is a positive shift and has allowed developers the ability to focus on what matters the most, business logic. At the same time, however, this does raise concerns around security, especially when it comes to the links between the components.
Developers are constantly introduced to new and complex security challenges. An application breach can be devastating not only to the end user, but to the entire organisation as well. As the ‘snap-on’ model of modern application development continues to gain popularity, what are the security risks that organisations need to consider when ‘Legolising’ modern application development?
When building a metaphorical Lego bridge in the application security world, developers need to look at where components are linked and the ways that they work together to ensure the security of the applications they’re building. Modern application security is focused on two steps: making sure the bricks are secure, then making sure the architecture is secure. Without doing this we’re opening up the apps we’re developing to attackers.
We have seen a proliferation of supply chain attacks in the last year, including large-scale, high-profile attacks, such as Kaseya and Colonial Pipeline, targeting major firms along various supply chains. Hackers have realised it’s easier to attack one component rather than the whole stack. It might seem obvious, but if we apply this back to our bridge, it’s easier to attack a crack in the bridge, rather than the whole bridge itself, and the same applies for applications. For example, rather than attacking an organisation head on, hackers are finding a vulnerable component to attack instead.
Mitigating
Traditionally, developers have seen security as the problem of an organisation’s IT team. But, in recent years, there has been a mindset change and developers are realising that the security issue also lies with them. In order to help developers prevent a ‘legolised’ attack, organisations need to encourage them to take a more holistic, unified, and effective approach to managing risk.
Developers need access to the right tools to look at the overall architecture of how the code they use fits together. This means no longer using best-of-breed solutions or code if they don’t work together in a unified way. There is now a real need to be able to scan all the bricks and the links and to have different engines correlating with each other.
Developers can’t be expected to know the tricks to beating criminals as they move too quickly. However, they do need to be able to automate detection and mitigate security risks. To help them with this, they need to use a supply chain engine that can track all components and infrastructure, but also one that won’t affect or slow down their work.
Putting training on the agenda
Training is also another important requirement. Despite the complexity they now face, security training for developers is still considered a low priority for business in many cases. And herein lies an issue: developers are eager for knowledge on writing secure-by-design code, yet lack the necessary support, skills or guidance to execute it. This knowledge gap leaves them unable to deliver the safest products for organisations, resulting in risks that are entirely preventable.
Businesses need to put measures in place to ensure developers receive the appropriate application security training – but not traditional compliance sessions. Organisations should, instead, prioritise a bitesize, interactive training style that enthuses and is tailored to developers who are reshaping software development.
Innovation in the technology sector specifically isn’t slowing down, and developers will need to keep up with this pace of change if they’re to truly create solutions which empower organisations to digitally transform for the better. While this is an exciting time to be a software developer, organisations need to ensure they’re empowering their development teams to create secure applications. Only by implementing the aforementioned solutions can businesses ensure they’re evolving modern application security in tandem.
