Chris Wysopal on a shared responsibility model for developers and defenders
The O’Reilly Security Podcast: Shifting secure code responsibility to developers, building secure software quickly, and the importance of changing processes.
In this episode of the Security Podcast, I talk with Chris Wysopal, co-founder and CTO of Veracode. We discuss the increasing role of developers in building secure software, maintaining development speed while injecting security testing, and helping developers identify when they need to contact the security team for help.
Here are some highlights:
The challenges of securing enduring vs. new software
One of the big challenges in securing software is that it’s most often built, maintained, and upgraded over many years. Think of online banking software for a financial services company. They probably started building that 15 years ago, and it’s probably gone through two or three major changes, but the tooling and the language and the libraries, and all the things that they’re using are all built from the original code. Fitting security into that style of software development presents challenges because they’re not used to the newer tool sets and the newer ways of doing things. It’s actually sometimes easier to integrate security into a newer software. Even though they’re moving faster, it’s easier to integrate into some of the newer development toolchains.
Changing processes to enable small batch testing and fixing
There are parallels between where we are with security now and where performance was at the beginning of the Agile movement. With Agile, the thought was, ‘We’re going to go fast, but one of the ways we’re going to maintain quality is we’re going to require unit tests written by every developer for every piece of functIonality they do, and that these automated unit tests will run on every build and every code change.’ By changing the way you do things, from a manual backend weighted full system test to smaller batch incremental tests of pieces of functionality, you’re able to speed up the development process, without sacrificing quality. That’s a change in process. To have a high performing application, you didn’t necessarily need to spend more time building it. You needed better intelligence—so, APM technology put into production to understand performance issues better and more quickly allowed teams to still go fast and not have performance bottlenecks.
Helping developers identify when they need to call for security help
We need to teach developers about application security to enable them to identify when there’s a problem and when they don’t know enough to solve it themselves. One of the problems with application security is that developers often don’t know enough to recognize when they need to call in an expert. For example, when an architect is building a structure and knows there’s a problem with the engineering of a component, the architect knows to call in a structural engineer to augment their expertise. We need to have the same dynamic with software developers. They’re experts in their field, and they need to know a lot about security. They also need to know when they require help with threat modeling or to perform a manual code review on a really critical piece of code, like account recovery mechanism. We need to shift more security expertise into the development organization, but part of that is also helping developers know when to call out to the security team. That’s also a way we can help the challenge of hiring security experts, because they’re hard to find.