Do developers really care about security?

InfoWorld talks with GitHub's Jamesha Fisher about the cultural shifts necessary for baking security early into the devops process

Over the years, developers have been dogged by a reputation for placing security as an afterthought. Get a slick, full-featured experience up and running fast, and figure out how to deal with whatever holes crop up once QA gets its hands on the code.

Organizations may have had a significant hand in fostering developers' laissez-faire attitude toward security by siloing teams in separate domains and giving development, QA, ops, and security operations isolated opportunities to levy their expertise on the code.

But with security and privacy increasingly top of mind among users and with companies moving more toward a devops approach to software development, developers need to shed that reputation and consider security concerns as an integral part of the development process.

To shed light on how developers' attitudes toward security are changing, I sat down with Jamesha Fisher, security operations engineer at GitHub, at Black Hat to ask her point blank: Do developers care about security?

Sometimes it still seems like they don't. A distressingly large number of web applications still have SQL injection flaws. The discussion around the deserialization flaw in a Java library a little less than a year ago showed that many developers still aren't sanitizing all inputs to their applications. That's only two out of a long list of common security mistakes developers make.

That's not to say there is malicious intent. Anything created by humans, by definition, will be imperfect, and software is no different. No developer wants the code segment he or she produces to contain the next Stagefright or Heartbleed. It's a question of knowledge, skills, mentality, and culture, as Fisher pointed out in our discussion. And with security and privacy becomes a daily headline concern, developers are beginning to ask the right questions.

"So many of them are increasingly getting more focused on security," Fisher says, pointing to questions they ask early about authentication and how to store data securely, when in years past this was left to secops. Developers are looking at how their peers are building similar applications and taking note of the baseline expectations.

Security isn't about vulnerabilities alone, Fisher points out. Availability is a form of security, too, she says. That includes both user traffic as well as malicious intent. With data breaches exposing user data, there are now more questions around data storage, especially in securing data so thieves can't easily access or steal it, and considering, from the get-go, how to store data so that it remains protected in case of theft.

"A lot of teams going in are [saying], 'We need to think about availability; we need to think about app security, having it baked in, or at least having the basic security stuff down,'" Fisher says.

For many startups, security concerns have become a rite of passage. As they get past the initial hustle and start to attract interest from enterprises, many are faced with the prospect of making sure their product and infrastructure fits what enterprises are looking for. In many cases, this means both hardened security and compliance. Software shops at this stage of maturation are beginning to realize the importance of documenting software development processes and explaining how they handle software updates, Fisher says.

Security is also playing a role in the rising use of devops, as security teams work with developers to get the fixes out faster and better. For this to gel and for code to be secure, organizations need to undergo a cultural shift, starting from the highest levels of management down, so that security can be folded into the devops pipeline, Fisher says.

But for those who think developers don't care about security, Fisher is adamant. "That is definitely not the case."

Join the CSO newsletter!

Error: Please check your email address.

More about

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Fahmida Y. Rashid

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts