days
0
-83
-3
hours
-2
-1
minutes
-2
-3
seconds
-1
-9
search
Securing the bricks and architecture

What can toy building blocks teach developers about security best practices?

Maty Siman
© Shutterstock / Vladimir Zlotnik

Modern application development, when broken down, isn’t too dissimilar to using toy blocks to build a bridge. For example, to build a secure bridge, it is not sufficient to focus on each brick individually to determine if the bridge is strong enough. The builder must understand the bigger picture, or the ‘architecture.’

Software development as an industry is transforming all the time and, in recent years, it has changed considerably due to evolving market demands. 2020 in particular was a challenging year as many businesses were forced to adapt their web and application development processes to meet changing market needs and user experience requirements.

The role of the developer is also evolving. Think back 10 to 15 years when developers would write everything on their own. Today it’s very rare for developers to write all code from scratch. They tend to take tools and resources from different places, such as AWS Cloud, to create software more efficiently in this new era of modern application development.

One way of summarising this is by using Lego bricks as a proxy. Modern application development, when broken down, isn’t too dissimilar to using toy blocks to build a bridge. For example, to build a secure bridge, it is not sufficient to focus on each brick individually to determine if the bridge is strong enough. The builder must understand the bigger picture, or the ‘architecture.’

By moving away from writing their own code, developers have to combine different elements with architecture, which includes looking at the full infrastructure to see just how stable the design really is. What we are talking about here is the basis of modern application development.

With coding, as with building blocks, it’s important for developers to have a view of the bigger picture. Developers now want to build flexible applications by simply snapping components together – this is a positive shift and has allowed developers the ability to focus on what matters the most, business logic. At the same time, however, this does raise concerns around security, especially when it comes to the links between the components.

Developers are constantly introduced to new and complex security challenges. An application breach can be devastating not only to the end user, but to the entire organisation as well. As the ‘snap-on’ model of modern application development continues to gain popularity, what are the security risks that organisations need to consider when ‘legolising’ modern application development?

SEE ALSO: How to fend off the manual certificate management tsunami

Securing the bricks and architecture

When building a metaphorical Lego bridge in the application security world, developers need to look at where components are linked and the ways that they work together to ensure the security of the applications they’re building. Modern application security is focused on two steps: making sure the bricks are secure, then making sure the architecture is secure. Without doing this we’re opening up the apps we’re developing to attackers.

We have seen a proliferation of supply chain attacks in the last year, including large-scale, high-profile attacks, such as Kaseya and Colonial Pipeline, targeting major firms along various supply chains. Hackers have realised it’s easier to attack one component rather than the whole stack. It might seem obvious, but if we apply this back to our bridge, it’s easier to attack a crack in the bridge, rather than the whole bridge itself, and the same applies for applications. For example, rather than attacking an organisation head on, hackers are finding a vulnerable component to attack instead.

Addressing the ‘legolised’ attack trend

Traditionally, developers have seen security as the problem of an organisation’s IT team. But, in recent years, there has been a mindset change and developers are realising that the security issue also lies with them. In order to help developers prevent a ‘legolised’ attack, organisations need to encourage them to take a more holistic, unified, and effective approach to managing risk.

Developers need access to the right tools to look at the overall architecture of how the code they use fits together. This means no longer using best-of-breed solutions or code if they don’t work together in a unified way. There is now a real need to be able to scan all the bricks and the links and to have different engines correlating with each other.

Developers can’t be expected to know the tricks to beating criminals as they move too quickly. However, they do need to be able to automate detection and mitigate security risks. To help them with this, they need to use a supply chain engine that can track all components and infrastructure, but also one that won’t affect or slow down their work.

SEE ALSO: The one risk of using SaaS no one talks about

Training as a form of defence

Training is also another important requirement. Despite the complexity they now face, security training for developers is still considered a low priority for businesses in many cases. And herein lies an issue: Developers are eager for knowledge on writing secure-by-design code, yet lack the necessary support, skills or guidance to execute it. This knowledge gap leaves them unable to deliver the safest products for organisations, resulting in risks that are entirely preventable.

Businesses need to put measures in place to ensure developers receive the appropriate application security training – but not traditional compliance sessions. Organisations should, instead, prioritise a bitesize, interactive training style that enthuses and is tailored to developers who are reshaping software development.

The software development landscape has changed and it will continue to do so as digital transformation and innovative technology solutions continue to evolve. The message for businesses wanting to ensure their developers are empowered to create secure applications is that modern application security has to evolve in tandem.

Author

Maty Siman

Maty Siman is a technology expert, active in the IT industry for over 20 years with experience in software development, IT security and source code analysis. Prior to founding Checkmarx, Siman worked at the Israeli Prime Minister’s Office as a Senior IT Security Expert and Project Manager where he established and led a development team in the IDF’s Information Security Center. Siman regularly speaks at IT security conferences and has been CISSP certified since 2003.

 


guest
0 Comments
Inline Feedbacks
View all comments