The full article was first available on Forbes - read it here.
Software security stands out. Not a day goes by without some or other cybersecurity risk, penetrating hack, system infringement or wider system compromise happening. But this is not a cyber risk story, this is an opportunity to look beneath the malicious ransomware alerts and question the software application development processes that build our apps in the first place - this is the road to secure code.
In a world where Venture Capital (VC) investments into cybersecurity startups are both vibrant and widespread, should we at some point be standing back to question the programming function to analyse, quantify and qualify the steps we should be taking to safeguard systems and data in the first place?
Although organizations are investing in an array of infrastructure components, ranging from network-based intrusion detection systems and firewalls to exhaustive Software Bill Of Materials (SBOMs) processes that seek secure the supply chain, these technological advancements undoubtedly lay the groundwork for a secure environment, yet they constitute only a fraction of the equation.
The true strength of secure computing lies in the integrity of how the code behaves when faced with the reality of end users. This is the opinion of Alex Olivier in his position as product lead at Cerbos, a company known for its adaptive authorization technology.
“Secure code encompasses the implementation of coding practices and techniques that prioritize security - be it secure development practices or testing the application against areas in the latest Open Source Foundation for Application Security [reports], explained Olivier. “It involves writing code that mitigates vulnerabilities and proactively prevents potential exploits. Despite its pivotal role, secure code is often overlooked due to all the new security tools which say they can solve all your problems at the infrastructure level. However, underestimating the consequences of insecure code can provide insight into the potential for dire outcomes to result - data breaches, system compromises, and the erosion of trust within the secure environment are all possibilities just from a couple of lines of poorly written code that affect not only users but also the overall reputation of the organization.”
The presence of insecure code within enterprise applications clearly creates opportunities for malicious bad actors to exploit vulnerabilities. Unauthorized access, theft of sensitive information and even the compromise of an organization’s entire software stack and its related systems, applications and services become potential consequences.
“Consider a scenario where a financial institution inadvertently exposes customer data due to insecure code in its online banking application. This breach not only results in financial losses but also erodes customer trust, tarnishing the institution's hard-earned reputation. Likewise, an e-commerce platform that neglects proper user input validation opens itself up to breaches, as attackers inject malicious code capable of compromising the entire system. These instances serve as powerful reminders of the criticality of secure code in safeguarding applications and the sensitive data they handle,” said Olivier.
The Cerbos team offers five cornerstones to consider when an enterprise manages to be introspective enough to look at its code security stance. When programmers and their associated operations teams are doing a deep dive reviewing code, Cerbos points to comparatively common scenarios where a simple slip-up in logic can leave a system vulnerable:
“In addition to these practices and regular code reviews with software application developers themselves, using tools built for vulnerability testing and penetration testing play pivotal roles in identifying and rectifying security flaws,” clarified Olivier. “By combining programmatic steps with human review of key areas you can reduce the risk of even the most complex systems.”
If any of these points sound a little high level and the sole preserve of the chief information officer, they shouldn’t i.e. developing secure code necessitates a collaborative effort involving developers, security teams and the business side of the house.
“Establishing secure coding standards, implementing secure design principles and conducting comprehensive security training programs for developers are all integral to ingraining secure code practices from the early stages of development. Fostering a culture of security awareness and accountability within the organization is equally crucial to ensuring that secure coding becomes an inherent part of the development process,” emphasized Olivier, in a statement that may be the most impactful of all comments made on this subject.
In the dynamic world of secure computing - if we can get there - it is imperative to recognize the indispensable role of secure code. From Olivier’s perspective, when a business works hard to prioritize secure coding practices, it can minimize vulnerabilities, enhance customer trust and establish a solid security foundation.
When our automobile or a household appliance breaks down we might think about blaming the manufacturer, when our software shows itself up as being brittle, flaky or unsecured, we might more directly think about the development process that led to its production and release.
The full article was first available on Forbes - read it here.
Book a free Policy Workshop to discuss your requirements and get your first policy written by the Cerbos team