About the Author:

Kellye Whitney
Kellye Whitney, is an award-winning writer and editor. The former editor for Chief Learning Officer magazine is now the founder and Chief Creative Officer for Kellye Media, a Chicago-based media coaching, content and consulting company.

With Privacy and Data Up for Grabs, Building Secure Applications Is a Critical Skill

With Privacy and Data Up for Grabs, Building Secure Applications Is a Critical Skill

Data, privacy, breaches, these topics are bandied about a lot these days, and for good reason. The damage from attacks and leaks seems to get more severe with news story. In the aftermath, a company’s image, reputation, even its customer’s trust – not to mention significant sources of revenue – are at stake. There’s even legislation afoot forcing companies to protect consumer data.

Now consider that today’s software applications are essentially modern-day storefronts. Businesses are expanding, which means they’re doubling down on mobile, web or API-based applications; the volume and frequency for application production is increasing. Simultaneously, the complexity and volume of attacks on these applications is also increasing. Further, there aren’t enough people available who understand and can implement sufficient applications security to handle the problem.

“These three factors have a kind of multiplicative effect giving rise to an exponential business risk that often goes unnoticed in board conversations,” said Setu Kulkarni, vice president of corporate strategy for White Hat Security, an application security company. “Every bit of code developers write – if it makes it to the storefront – increases the attack surface on the overall business.”

In the midst of this storm, application security is key. Kulkarni said while there are plenty of advanced computational resources today for organizations to write business applications rapidly, the same computational resources are also available to adversaries and hackers – at the same cost. Further, they won’t hesitate to use them to breach software applications and exfiltrate data because the value of that data has increased exponentially as well.

Data is part of a company’s intellectual property, especially as businesses leverage artificial intelligence and machine learning to gain a competitive edge. Most companies are now responsible for hundreds of thousands of users’ data: user names, passwords, credit card numbers, zip codes and more. “That data is the treasure trove that the adversaries are looking for,” Kulkarni said.

The risks are enormous. The millions of consumers affected by recent data breaches from Uber, Facebook, Equifax and a dozen other high-profile companies will unhappily confirm that. Security is important to everyone. It has become critical that organizations proactively train developers and other technical talent not just how to implement security, but also what impact poor security can have on a business.

“For way too long, we’ve tried to generalize security training. Organizations have administered mandatory security training where one logs into an online portal, clicks through, answers the questions, and everybody in the organization – irrespective of their roles and responsibilities –gets administered the same questionnaire. That’s a fool’s errand given where we are today,” Kulkarni explained. “It’s very important to identify the various stakeholders in your organization, and tailor security training for them.”

He said there are at least three organizational personas for which we should tailor application security education:

One, business leaders and executives need to be security aware because they’re making decisions on behalf of the company. They have a responsibility to protect the organization’s infrastructure as well as customers’ data. Providing executives with risk-based training helps them understand the security risks they’re undertaking by implementing or setting up a business, whether it uses online credit card payments or whatever.

Two, the chief information security officer and his team need to learn a few new skills as well. Certainly, they need to know about security, which they’ve undoubtedly studied and learned on the job. They also need program management skills, to know how to implement an end-to-end security program in a time where everything is driven by code and software applications.

In this highly platform-oriented world, they also need to understand how to implement security in DevOps environments. They should understand the modern platforms out there, whether its Apple, Google or Microsoft that are used to deliver business applications.

Three, the development community needs to understand how to write secure code. “If you go to a developer today and ask him, ‘why did you write insecure code?’ The answer is ‘well, I didn’t know what secure code looks like,’” Kulkarni said. “Just telling them their code is insecure only solves half the problem; it’s very reactive.

“If you want to get proactive around security, you’ve got to train developers to know what secure code looks like. There are a few ways to do that. One way we have explored is secure code design patterns. If you go talk to a developer, the first thing they want to identify is what are the design patterns implemented?”

There are a variety of ways to make training interesting and applicable to developers, and incentivize them to take on this role. The kind of learning environment needed to provide multi-faceted training would naturally take place in a classroom – but not just any classroom. It would require intense labs, offer meaningful interactions with instructors, and promote peer-to-peer learning. It would also have to appeal to what Kulkarni described as a developer’s particular motivation for learning.

For technical talent, the ability to innovate is important, as is having a mission, and being able to solve problems. “We’ve got to adapt the way we deliver training to what motivates them,” he said.

For example, many times developers learn simply by Googling. They don’t want an entire thesis on how to solve a problem when an online resource or focused search will produce the information they need. They want micro training in the moment to tell them what they should do right now. “Then give them an opportunity to practice immediately,” Kulkarni said. “By doing something over and over again, they’ll improve.”

Feedback is also important – when given at the right time. “Remember, we’re trying to build muscle memory, and we have succeeded at doing this as an industry many times in the past,” Kulkarni explained. “DevOps is a great mechanism to build that muscle memory. So, make sure you’re testing your applications frequently, rapidly, continuously throughout the software lifecycle.”

But even that is only half the story. Kulkarni said you need to take the results from applications you’re testing and put them into the DevOps process. “There are a variety of inflection points whether it’s at the development phase, the build-test phase, or the deploy-operate phase, to integrate this information into your pipeline, tools, bug tracking systems, and metrics, so that feedback loop is built in,” he explained. “That way, when you find a security issue, it shows up as a software defect and is immediately triaged and prioritized to be fixed if needed.”