We all know that as the internet of things (IoT) and digital transformation make life more convenient and productive, technology also invites wide-ranging cyberthreats for enterprises. From stealing consumers’ bank account or financial data to hacking public utilities or even nuclear power plants, the threats are all around us. As a result, security is an issue for most companies, CTOs, CIOs and software engineers. In fact, the high security requirements of industrial IoT systems represent the No. 1 challenge for 49.1 percent of developers working in that space, according to Evans Data’s The Internet of Things Development Survey.
“In today’s technology environment, application security testing for vulnerabilities and flaws in software code should be a security best practice, regardless of an organization’s size or industry,” said Chris Wysopal, co-founder and CTO of Veracode, a software security company. However, in a September 2016 Veracode survey of IT decision-makers involved in cybersecurity, 83 percent of the respondents said that they released code before testing or resolving security issues involving bugs. And a March 2015 IBM report titled “The State of Mobile Application Insecurity” found that one-third of companies weren’t even testing mobile applications for security vulnerabilities.
It’s shocking that, although attacks against corporate assets are on the rise, application and software development security still lags behind as an afterthought.
Developers on the front lines
What’s to stop someone from hacking into an online software system or application and stealing data or access to critical processes? Both the threats and the solutions depend on software, and many software development professionals are well aware of the situation. One wall of defense is secure development with a focus on quality assurance, testing and code review. In fact, software developers — whether your team is in-house or outsourced — might be your enterprise’s front line of defense, provided they maintain a security mindset.
There are various ways for developers to test and check code. For example, they could use static application security testing tools or dynamic application security testing technologies, or engage in visual testing. Some specialists even battle for greater software security by intentionally playing the role of adversary — an approach often referred to as white hat testing. These experts hunt for security vulnerabilities used by attackers to circumvent security controls. The IBM X-Force Red is one example; this group of security professionals and ethical hackers help businesses discover vulnerabilities in their computer networks, hardware and software applications before cybercriminals do. IBM X-Force Red is led by noted testing expert Charles Henderson. “Having a machine scan your servers and source code is a great step to help prevent data breaches, but the human element of security testing cannot be overlooked,” Henderson says.
Looking back, software development teams that I worked with in the 1980s and 1990s rarely did code review. Today, it’s expected and a professional must do it — so much so that software developers have stepped it up, taking on bigger roles in ensuring application security. According to a December 2016 Veradode survey, 40 percent now incorporate securing testing during programming, and 21 percent during the design stage. Testing early in the development process finds code defects at the point where it’s least costly to fix them.
A useful resource to check out is OWASP — The Open Web Application Security Project. It’s a not-for-profit organization focused on improving the security of software. OWASP provides impartial, practical information about AppSec to individuals, corporations, universities, government agencies and other organizations worldwide. One of its many resources is an “Application Security How-To” section (see OWASP.org).
When there’s not enough talent
While it’s key to focus on security during software development, the limited talent pool confounds the situation: There aren’t enough professionals to keep up with the growing threats. Indeed, finding and keeping good software development talent is already challenging enough, let alone retaining talent that’s security-focused.
“A shortage of people with cybersecurity skills results in direct damage to companies, including the loss of proprietary data and IP,” says James A. Lewis of the Strategic Technologies Program at the Center for Strategic and International Studies (CSIS). CSIS recently partnered with Intel Security to release a report titled “Hacking the Skills Shortage,” which outlines the talent shortage crisis impacting the cybersecurity industry across both companies and nations. “This is a global problem; a majority of respondents in all countries surveyed could link their workforce shortage to damage to their organization,” says Lewis.
While it can be challenging to find software development professionals — especially those who are serious about security — the right kind of software engineering professionals and teams do exist. Outsourcing to an onshore, nearshore or offshore team is a solution. Many world-class, highly trained software development providers are available, and they are cost-effective and have a security mindset.
When you outsource software development, make sure you hire a reputable team that makes security a priority. Avoid developers who don’t take it seriously. They’re a risk you don’t need. Instead, make sure your provider is proficient in security by discussing it early on. Ask potential outsourcing partners to provide examples of how they make security a priority, and find out what code QA and testing methods they use, when in the development process they start testing and whether they use a variety of tests to confirm quality. Also ask them to demonstrate that they are current on the latest testing and QA practices.