Improving Software Security in 2022

The recent Log4j vulnerability showed just how quickly a security bug could disrupt not just an industry, but the entire world.

Organizations, especially federal agencies, will always find themselves at some level of risk, but they can also do more to mitigate those challenges. In November 2021, the Biden administration issued a directive through the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) to fix hundreds of software and hardware vulnerabilities. 

While this effort created an immediate call-to-action to patch known security risks, organizations from all industries must constantly manage known and unknown threats. A study released in July 2021 found it took organizations an average of 205 days to fix critical vulnerabilities, a timeframe that provided bad actors a wealth of opportunity to conduct serious damage.

Agencies must adopt a more proactive approach to cybersecurity by improving software code quality. Let’s look at how to do that.

An Ounce of Prevention

Shaking up the status quo does tend to raise a few eyebrows, but the truth is that security programs should be in a constant state of continuous improvement. Today, our security programs work in an overly reactive state that relies too heavily on mitigation once a threat has emerged.

Emphasizing a preventative approach may not be widely understood outside the security team, especially when an agency has a relatively clean security record. It might be seen as something that isn’t broken and, therefore, doesn’t need fixing. In this instance, getting leadership buy-in at all levels of an agency is important.

Some pertinent points security executives should emphasize to change security culture inside their organization include:

  • The time and cost savings achieved through preventative measures, such as role-based training and related tools, as opposed to the potential cost of a critical incident.
  • Finding and fixing software vulnerabilities as code is written keeps releases on time with fewer showstoppers from the security team.
  • Preparing for and preempting potential security risks from the development team to release saves time and money overall.

Shifting Left of Left

Shifting left has been popular in Agile and DevOps environments for over a decade. It involves testing small software components as early as possible rather than waiting until the end of the sprint.

To create more secure code, organizations need to start left of left, eliminating common vulnerabilities as early as possible to create a safer user experience. 

Starting left of left is a developer-first concept and requires organizations to get serious about uplifting their engineering cohort, placing emphasis on the creation of high-quality code. Security-aware developers are worth their weight in gold, and they need support in the form of job-relevant, hands-on training in secure code as well as the ability to provision the right tools. The opportunity to be mentored by more experienced developers will also foster an environment where code is crafted with a security-first mindset and the precision required to take software to the next level.

One key area that often gets overlooked is the user experience; particularly with regard to how users access information.

Security misconfigurations accounted for 21% of cloud-based data breaches in the past year, and amateur-hour errors (like storing passwords in plaintext, for example) resulted in serious productivity and customer trust losses. To avoid these errors, aim for a secure user experience that weaves tight security into a flow that makes sense. Adding more barriers—complex password requirements, a CAPTCHA, a horde of flesh-eating zombies—can turn users away. On the other hand, getting too permissive with security measures renders the entire point moot.

A successful, secure user experience needs to weave tight security into a flow that makes sense, presented in a way that doesn’t detract from anything compelling about the software. 

Improved Developer Upskilling

Developers, of course, want to write secure code, but they often lack those skills or need a refresher course. Meaningful training too often gets overlooked as the day-to-day needs of organizations allow for little time to improve skills.

In working with developers, we’ve found that about 75% prefer structured on-the-job learning instead of opening a manual. They would rather learn by doing and want training focused on practical applications, something that most current training programs are missing.

Look for any and all opportunities to upskill your developers. They are on the front lines when it comes to stopping vulnerabilities. Provide them both the time and right-fit resources, understanding that these efforts will pay considerable dividends in the future.

Government agencies, in particular, face inherent challenges in keeping their systems secure. They often must manage outdated systems with few financial resources and fight for top talent in an incredibly competitive market. There is no panacea for removing vulnerabilities, but taking a proactive and preventative approach that emphasizes the customer experience with highly skilled developers can help agencies take significant steps forward.

Pieter Danhieux

Pieter Danhieux is a globally recognized security expert, with over 12 years of experience as a security consultant and 8 years as a principal instructor for SANS, teaching offensive techniques on how to target and assess organizations, systems and individuals for security weaknesses. He is the co-founder and CEO of Secure Code Warrior.

Recent Posts

What SREs Can Learn From the Atlassian Outage of 2022

What happens when the tools and services you depend on to drive site reliability engineering turns out to be susceptible…

22 hours ago

How to Get the Supply Chain Back to (Better than) Normal

If a chain is only as strong as its weakest link, today’s supply chain is in dire straits. A recent…

23 hours ago

New Relic Expands Scope of Observability Reach

At its Futurestack conference, New Relic announced it expanded the integrations and tools it provides for its observability platform and…

1 day ago

DevOps Institute Releases Upskilling IT 2022 Report

DevOps Institute, a professional member association working to advance the humans of DevOps, announced the release of its Upskilling IT…

2 days ago

Pull-Based Kubernetes Deployments Moving to GitLab Free Tier

GitLab will include support for pull-based deployment in the platform’s Free tier in an upcoming release, which will provide users…

2 days ago