Over the years, developers have been dogged by a reputation for placing security as an afterthought. Get a slick, full-featured experience up and running fast, and figure out how to deal with whatever holes crop up once QA gets its hands on the code.
Organizations may have had a significant hand in fostering developers' laissez-faire attitude toward security by siloing teams in separate domains and giving development, QA, ops, and security operations isolated opportunities to levy their expertise on the code.
But with security and privacy increasingly top of mind among users and with companies moving more toward a devops approach to software development, developers need to shed that reputation and consider security concerns as an integral part of the development process.
To shed light on how developers' attitudes toward security are changing, I sat down with Jamesha Fisher, security operations engineer at GitHub, at Black Hat to ask her point blank: Do developers care about security?
Sometimes it still seems like they don't. A distressingly large number of web applications still have SQL injection flaws. The discussion around the deserialization flaw in a Java library a little less than a year ago showed that many developers still aren't sanitizing all inputs to their applications. That's only two out of a long list of common security mistakes developers make.
That's not to say there is malicious intent. Anything created by humans, by definition, will be imperfect, and software is no different. No developer wants the code segment he or she produces to contain the next Stagefright or Heartbleed. It's a question of knowledge, skills, mentality, and culture, as Fisher pointed out in our discussion. And with security and privacy becomes a daily headline concern, developers are beginning to ask the right questions.
"So many of them are increasingly getting more focused on security," Fisher says, pointing to questions they ask early about authentication and how to store data securely, when in years past this was left to secops. Developers are looking at how their peers are building similar applications and taking note of the baseline expectations.
Security isn't about vulnerabilities alone, Fisher points out. Availability is a form of security, too, she says. That includes both user traffic as well as malicious intent. With data breaches exposing user data, there are now more questions around data storage, especially in securing data so thieves can't easily access or steal it, and considering, from the get-go, how to store data so that it remains protected in case of theft.
"A lot of teams going in are [saying], 'We need to think about availability; we need to think about app security, having it baked in, or at least having the basic security stuff down,'" Fisher says.
For many startups, security concerns have become a rite of passage. As they get past the initial hustle and start to attract interest from enterprises, many are faced with the prospect of making sure their product and infrastructure fits what enterprises are looking for. In many cases, this means both hardened security and compliance. Software shops at this stage of maturation are beginning to realize the importance of documenting software development processes and explaining how they handle software updates, Fisher says.
Security is also playing a role in the rising use of devops, as security teams work with developers to get the fixes out faster and better. For this to gel and for code to be secure, organizations need to undergo a cultural shift, starting from the highest levels of management down, so that security can be folded into the devops pipeline, Fisher says.
But for those who think developers don't care about security, Fisher is adamant. "That is definitely not the case."