Better application security can’t start with tools


There’s a common trope in sci-fi movies where robots start thinking for themselves and start a war with humans for control of Earth.

These stories come from a familiar place. We continue to see robots, machines and technological tools replacing many traditional jobs that require a human touch. Many industries, such as manufacturing, rely heavily on these devices, with automation posing a growing threat to the workforce.

Technological tools remain essential to software development, but they also have limits. Software development has become equal parts art and science with a skilled and trained developer able to complement static tools and add key value beyond a bot-only approach.

Cybersecurity has an essential human element. It is the one who can take into account the information of active users, their own experience and the priorities of their organization to rethink security. Humans must play a vital role in security, expertly leveraging tools but also applying contextual intuition and experience to improve security posture.

Tools offer limited reach and often respond reactively

The rapid software development lifecycle has often made security an afterthought, and applications are too often shipped with known vulnerabilities. To fix these shortcomings, other developers joining later in the lifecycle rely on tools that provide great utility, but often respond reactively to threats and address security after the fact. Some of the most commonly used tools can only offer limited protection. They understand:

  • Vulnerability scanners: These applications take an inventory of technology assets and then compare the operating system against a database of known vulnerabilities. Although an essential part of cyber defense, vulnerability scanners can only detect known threats and remain susceptible to new attack vectors. There’s no single scanner that’s a catch-all, and they can be notoriously slow, bogging down the security team with false positives and negatives that require meticulous sorting.
  • Software Bill of Materials (SBOM): This provides an inventory of a code base, including open source components and license and version information. Like vulnerability scanners, these tools check for known vulnerabilities, leaving them open to new types of attacks. They can also be difficult to keep up to date and require considerable time from already overworked development teams.
  • Jira: Originally an issue tracker, Jira is a work management tool that allows developers and IT teams to identify and track coding issues as they build software. This method tends to be reactive and relies on users to identify, find, and resolve issues.
  • Embolden: This tool helps to manage and control the quality of software projects. It works as an aid to help developers write clean code using artificial intelligence. However, Embold creates generic apps that may not have the security depth and functionality that an organization wants.

Security-skilled developers using a proactive approach have greater impact

The tools listed above all work responsively. This is where developers can add real value. They don’t have to wait for a breach to expose threat information to take action. Developer teams can integrate proactive security controls that evolve with new threat trends.

Developers can play a key role in the security maturity of their organization. When properly aligned, development teams and their organizations can work toward a continuous cycle of improvement to stay ahead of evolving threats. This process ensures that they keep pace with evolving threats and minimize the risk of exploitation in the code and software delivered.

Developers are in a better position than anyone else to investigate vulnerabilities in reused or existing code, while making a meaningful contribution to setting a standard for secure code. Properly trained developers who understand how to integrate security into the software development lifecycle are as valuable, if not more so, than the machines and applications supporting business operations.

While tools certainly have value and remain indispensable, they cannot become the sole focus of an organization seeking a more holistic, defensive, and modern approach to cybersecurity. These tools provide a limited view, but developers can fill in the gaps with their appropriate experience and knowledge. They can contribute to a security-centric culture and bring long-term value to an organization’s security posture.

Important next steps

Expert security developers will never go out of style and are unlikely to be truly replaced.

Developers must continue to train and upskill to maintain this advantage, while organizations must continue to invest in their talent. We are still seeing a skills gap among developers, leading to high turnover. Instead of leveraging automated technologies to fill these gaps, organizations should invest more in their current developers and give them the opportunity to undergo meaningful training.

As robots, automated technologies, and artificial intelligence become more mainstream, we need to remember where humans still provide value. It starts with security.

Want to learn more about cybersecurity and the cloud from industry leaders? Discover Cyber ​​Security & Cloud Expo taking place in Amsterdam, California and London.

Check out other upcoming TechForge enterprise technology events and webinars here.

Key words: cybersecurity, cybersecurity, development, security, software

Source link


Comments are closed.