Check Point® Software Technologies Ltd. has been recognized as a Leader in the 2024 Gartner® Magic Quadrant™ for Email Security Platforms (ESP).
At its emotional core, Star Trek explores the bond between two very different species – Kirk and Spock – who team up to seek out new worlds and defend the Enterprise. In many ways, the same can be said for developers and security teams. How so?
Well, we live in a world where the software industry is boldly going where it hasn't gone before. Applications form the lifeline of any business today. But they are under attack more than ever before. Cybercrime has risen exponentially in recent years, exposing a wide range of vulnerabilities in web and mobile applications. According to Verizon's 2016 Data Breach Investigations Report, attacks on web applications accounted for over 40 percent of incidents resulting in a data breach, and were the single-biggest source of data loss.
Most of these security issues are caused due to poor coding practices, which lead to poor application code integrity. In other words, hackers are exploiting application-layer loopholes in poorly-coded applications to initiate their attacks.
As legions of fans indulge in the film's next installment, Star Trek Beyond, let's look at the Kirk/Spock-style teamwork that needs to happen between two different species -- app development and IT security professionals -- in order to achieve application security best practices, secure coding specifically, and safeguard our enterprises.
In the spirit of collaboration, here are 4 ways for security teams to get developers excited about creating secure code:
1. Clear visualization
Do you want to boldly go where no man has gone before? Say you're in Paris and you want to take the Metro from the Louvre to the Eiffel Tower. Lacking a map, but armed with the list of stations and the respective train lines that stop at that station, you'll mentally calculate the easiest or quickest route.
The old static application security testing (SAST) tools worked in a similar fashion. They presented the developers with a long list of flaws and left it to the developers to pinpoint the location of the vulnerability. The heavy active and time-consuming involvement of developers within the security process alienated them from the exact process already at such an early stage.
It does not need to be that way any longer. Today's advanced SAST solutions enable developers to actually visualize the flaw: the solutions highlight the path that lead to the vulnerability. This type of visualization provides developers with a quick reference that pinpoints the flaw. More so, it allows developers to visualize how fixing a certain part of the code eliminates all flaws caused by that particular buggy piece of code and reduces the number of mitigation points required thus reducing the developer's effort significantly.
Returning to our Paris Metro example, this is similar to having a map app which provides the tourist with an interactive map displaying the various routes from the Louvre to the Eiffel Tower – and highlighting the quickest one.
The use of visualization alleviates developers from the security burden. In a quick and efficient manner, developers are able to continue their code development while spending very little time on fixing security vulnerabilities however still understanding and learning from the experience.
2. Teamwork
When we look at the development process we can see that many times developers work as part of a team. However, when it comes to fixing bugs, developers tend to find themselves alone in the process and reach a point where they realize they've given it all they got, captain!
That should not be the case. In fact, teamwork can very much be part of the SAST process. Here are some examples of how teamwork can be enhanced within the secure development process:
■ Providing feedback on the quality of the repair. An important aspect of any learning process is measuring how well information is applied. When it comes to security, it is important to track the progress of the code quality over time. This can be done, for instance, by tracking the number of security flaws found from one code review to the next. This type of feedback from an early stage of the development lifecycle saves time, money and improves overall code quality.
■ Consulting between developers. This means providing the developers with an encouraging environment to openly discuss the issues they face. Consequently, peers can walk through security practices and learn from others' past experiences.
■ Establishing a shared knowledge base within the company. Sharing experiences, tips and best practices does not necessarily need to be by word-of-mouth or between small teams. Rather, knowledge should be shared, updated and maintained in a central searchable knowledge base.
For 2 more ways security teams can get developers excited about creating secure code, Read Part 2
Amit Ashbel is Director of Product Marketing & Cyber Security Evangelist at Checkmarx.
Industry News
Progress announced its partnership with the American Institute of CPAs (AICPA), the world’s largest member association representing the CPA profession.
Kurrent announced $12 million in funding, its rebrand from Event Store and the official launch of Kurrent Enterprise Edition, now commercially available.
Blitzy announced the launch of the Blitzy Platform, a category-defining agentic platform that accelerates software development for enterprises by autonomously batch building up to 80% of software applications.
Sonata Software launched IntellQA, a Harmoni.AI powered testing automation and acceleration platform designed to transform software delivery for global enterprises.
Sonar signed a definitive agreement to acquire Tidelift, a provider of software supply chain security solutions that help organizations manage the risk of open source software.
Kindo formally launched its channel partner program.
Red Hat announced the latest release of Red Hat Enterprise Linux AI (RHEL AI), Red Hat’s foundation model platform for more seamlessly developing, testing and running generative artificial intelligence (gen AI) models for enterprise applications.
Fastly announced the general availability of Fastly AI Accelerator.
Amazon Web Services (AWS) announced the launch and general availability of Amazon Q Developer plugins for Datadog and Wiz in the AWS Management Console.
vFunction released new capabilities that solve a major microservices headache for development teams – keeping documentation current as systems evolve – and make it simpler to manage and remediate tech debt.
Check Point® Software Technologies Ltd. announced that Infinity XDR/XPR achieved a 100% detection rate in the rigorous 2024 MITRE ATT&CK® Evaluations.
CyberArk announced the launch of FuzzyAI, an open-source framework that helps organizations identify and address AI model vulnerabilities, like guardrail bypassing and harmful output generation, in cloud-hosted and in-house AI models.
Grid Dynamics announced the launch of its developer portal.
LTIMindtree announced a strategic partnership with GitHub.