Security during development A Wise or Otherwise Decision
Web application security, cyber theft and cyber ransom are some of the most trending security topics in the internet these days. Despite the large number of antivirus companies and security professional out there, still the approach towards this is reactive and this common trend is indicating that the engagement of offensive security mind-set needs an increase of several magnitudes.
All security attacks pose risk to the business and risk can be mitigated with awareness and it holds good for security incidence also. When software developers get education on security which intern enables them to detect and protect their application in advance, when this happens to some extent application can be marked as protected. Though definition of Protected application is the matter of debate in security community as the how protected application is depends on who is attacking and who essentially is providing the protection. Real security would be implemented completely only when developers will be involved from the step one. Without the actual workforce involvement our assumption of having vulnerability free software systems seems very unrealistic.
When developers are writing code they are more interested in the problem solving and logical progression, they don’t want to lose the time in deployment process, most of the J2EE certified application servers when they run on development mode, time taken to publish the changes keeps everything on halt. personally have experienced this in WebLogic, WebSphere. In reality businesses exist to make money, none of them exist specifically to maintain security and fortify them with latest security systems.
2 things have been overlooked in the software development industry generally, one thing is the rapid feedback cycle, developers waste lots of time in deploying and executing their code than in coding, unfortunately there are not many products which facilitates real time deployment and security testing, we must admit that there are few but those too are not supported for every platform, these solutions have long way to go. Another problem that I could think of is vulnerability detection at the time of software development. These things are really fundamental to secure software development cycle and most importantly they should be open and free. Open source community needs to put some serious thought on this area which I feel is overlooked from long time.
Having the development time security detection not only reduces the cost and saves time but it also infuses security vulnerability awareness among developers. Lack of security specific understanding among developers is growing concern of product managers, additionally it enhances time to market your product.
Once we are successful in infusing this thought of writing secure code into the mind of developers, cost of security testing and remediation would eventually become negligible. Training programs that promote this goal will help us realize the positive outcomes shortly. All of sudden making them mandatory might sound like an order and creating compliance verses engagement problem. Management should handle this problem carefully. Initiatives which are started with sole aim of promoting secure coding practices should be fun to learn and implement. This seems the only way of achieving cent per cent security in software development cycle.
Bottom line is run time security issue detection and rapid feedback cycle is the demand of hour and software industry and open source community need to come up with serious plan of implementing and building frameworks where secure coding practices can foster and result into protracted software systems.