Want secure code? Give devs the right tools

With the appropriate tools and environments, developers can take the first step forward in safeguarding app security

The Internet has serious security problems that need to be fixed. Despite many calls to action over the years for the industry to band together and work on solutions, progress has been mild. What’s needed isn’t necessarily more security technology. What’s needed are better tools for developers so that they can improve the security of their code.

In his keynote at Black Hat in Las Vegas, Dan Kaminsky, chief scientist and co-founder of White Ops, advocated for environments and coding frameworks that make it easier for developers to implement security without compromising usability or stifling creativity. His keynote, “The Hidden Architecture of Our Time: Why This Internet Worked, How We Could Lose It, and the Role Hackers Play,” called on the security industry to think about how new programming environments could have basic functionality and security features built in and turned on by default.

“I worry about the ability of developers to innovate without being smothered by security concerns,” Kaminsky told attendees.

I caught up with Kaminsky after the keynote to discuss what developers need to continue innovating and developing. During his speech, he said, “We have to figure out what people want to do and help them to do it safely.” In our discussion, he explained how that meant looking at programming languages, working with containers such as Docker, and sharing code.

There is so much innovation and so much technology now that “everyday developers can do massive things,” Kaminsky told me. “If they don't have a way to build these technologies securely, all of [developers’] thought is going to leave 'How do we build what users want' and go to 'How do we survive the real world.' It's a drain on people's thought.”

The answer isn’t more standards or theory, but “real-world experimentation,” Kaminsky says. “No more ‘If you really care about security, program in this language.’”

It’s one thing to create new tools -- say, programming languages like Rust that stamp out a whole class of vulnerabilities by enforcing memory safety-- but it’s another to see how developers use it. If they aren’t able to do what they need to accomplish with the new tool, they'll figure out a workaround.

For example, it’s easy to say stop coding in C because of the chances of introducing memory-related vulnerabilities. However, if the developer needs to embed code, then Python as the “safer” language is not an option. It has to be C. By looking at actual use cases, at how developers are working, we learn about these roadblocks and can start figuring out solutions to address them.

“I am not a fan of obtuse, difficult-to-use, theoretically correct but operationally difficult solutions only considerable because they are mathematically correct,” Kaminsky said during his speech. There needs to be people focusing on operational questions to figure out how things really work and come up with practical answers.

“We didn’t stop our cities from burning by making fire illegal or heal the ill by making sickness a crime. We actually studied the problems and learned to deliver safety,” Kaminsky said in his speech. "If we want to make security better, give people environments that are easy to work with and still secure.”

Developers in organizations are fixing bugs in their applications every day, but because they are not releasing the fixes, everyone else encountering the same bug has to fix it themselves. It’s common developer practice to search Google or poke around GitHub for code samples to common programming problems. Right now, there’s no way to tell if something is done well or if it’s poorly written. The best way to make sure everyone gets the best fixes is to publish the code so that it's available to all.

“Managers, you should be letting your engineers share solutions to many of your internal security problems. You’re solving them anyway,” Kaminsky said during his speech. “Someday, someone’s going to have your problem again.”

If that fix is the first result for a Google search, then more people will use the better code rather than a broken hack they found elsewhere.

“There are a million reasons why technology doesn’t work outside of security. What matters is, it doesn’t work. So the game really is, let’s figure out, what really does,” Kaminsky told me.

Join the CSO newsletter!

Error: Please check your email address.

More about Google

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Fahmida Y. Rashid

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place