On January 28, the U.S. Department of Defense released a report from the Pentagon’s combat testing office announcing that the U.S. military’s cybersecurity capabilities “aren’t advancing fast enough to stay ahead of the ‘onslaught of multipronged’ attacks envisioned by adversaries.” On January 29, news broke of a bug in Apple’s Facetime software, allowing users to access someone else’s microphone without their consent. Both of these organizations, leading their respective industries, within a week have demonstrated the overwhelming challenge of software security.
|If companies want to ramp up their security efforts, it requires both contextual and scalable approaches working in tandem. (Source: SmartBear)|
Software teams in 2019 are building more complex projects, with more distributed teams, in a more competitive technical landscape. On top of this immense challenge, teams have to mitigate against the risk of cyberattacks, in both their new software and in their existing code. To date, most companies have shown that they don’t have a reliable practice in place.
The Unstructured Heritage of Cybersecurity
The field of cybersecurity is still relatively nascent. The spread of viruses by lone malevolent actors through email and websites started in the 90s, but there was little financial gain. In response, antivirus software solutions were developed and deployed. Following the turn of the century, cyberattacks started to target companies primarily, turning credit card hacks and corporate breaches into routine headlines. This not only exposed the vulnerabilities in systems for companies like TJX, Target, Home Depot, and Staples, but it also revealed that most companies weren’t focused on cybersecurity as a business priority.
Companies then began to introduce new security programs to discourage attacks, rewarding hackers with bug bounties and positions at their companies. While these new recruits brought technical expertise to teams, hackers by nature have a penchant for setting off on their own and subverting systems. The challenge now is for companies to create structured and predictable security workflows that mitigate against unstructured and unpredictable attacks.
Scalable Security Practices and Limits of Automation
One way that teams have added some security structure to their development is by adopting tools for penetration testing, vulnerability analysis, and monitoring. In Cisco’s 2018 Annual Cybersecurity Report, 39 percent of chief information security officers interviewed said that their organizations were completely reliant on automation. Complete reliance specifically on machine learning and artificial intelligence was also prevalent, 34 percent and 32 percent respectively.
This shouldn’t be surprising, given that organizations that really need to scale quickly can’t reasonably do so through hiring alone, especially given the complexity and breadth of some organizations’ software. Automation does and should play a critical role.
However, automated tools inherently lack a contextual sense for business risk. Assessing risk is one of the most challenging aspects of security efforts since every project is likely to have vulnerabilities.
The Open Web Application Security Project (OWASP) advocates for a focus on manual security code reviews, saying, “A human reviewer can understand the context for certain coding practices, and make a serious risk estimate that accounts for both the likelihood of attack and the business impact of a breach.” Extending more context to security teams means including them at every stage of the software development lifecycle (SDLC).
Building a Security Review Quality Gate Across Your SDLC
Bugs and vulnerabilities are cheaper to remedy the sooner that they are can be found in the SDLC. That’s why so many teams are looking to shift their testing left. The same principle applies to security. OWASP outlines how security teams should be involved reviewing:
- Application security requirements in the planning phase
- Security architecture in the design phase
- Source code, coding practices, and test plans in the development phase
- Penetration testing in the testing phase
- Configuration management and secure deployment
With all of these touchpoints, cross-functional collaboration is critical. For code reviews specifically, there are often limits to how effective security professionals can be at fully understanding what code is doing if they aren’t proficient in the applied language or framework. Effective communication between development and security teams is critical in order to cross-pollinate subject area knowledge and best practices. In a report published by SmartBear in 2018, 73 percent of survey respondents found “sharing knowledge across their team” as one of the key benefits of code review.
If they aren’t already, teams should set a regular cadence for meetings to discuss application architecture, related services, and key inputs and outputs. It can be challenging for teams to ensure that all of these reviews are taking place in a documented and organized way. This is especially true for teams that track their reviews manually, over email, or in a spreadsheet. Tools like Collaborator facilitate a structured review process for all the code and documents associated with a project. Teams can customize approval workflows and ensure that their process is captured with review metrics and defect reports.
Cristina Chaplain, director of the U.S. Government Accountability Office, reflected on the recent Pentagon report saying, “DoD testers routinely found mission-critical vulnerabilities in systems under development, and in some cases, repeatedly over the years tended to discount the scale and severity of the problem.”
Scanning tools can identify critical vulnerabilities, but without a tool-based review structure in place as a development quality gate, the tangible deadline pressures can encourage teams to move on without addressing issues.
When teams adopt a structured review process with security practices embedded, knowledge sharing becomes central to the project culture. This is especially important given that training and skill development is in such great demand across industries.
Growing Teams and Training Through Peer Reviews
In the Cisco study referenced earlier, 27 percent of respondents said that “lack of trained personnel” was the greatest obstacle to security, up from 22 percent in 2015. This isn’t to say that companies aren’t hiring for security. The study also found that the median number of security professionals at an organization rose from 25 in 2015 to 40 in 2017. Companies need to accelerate hiring to match security demands and actively create opportunities for those experts to mentor and train junior team members. Since peer reviews take place across the SDLC, they can be an effective, structured vehicle for this kind of onboarding and knowledge transfer.
The Common Weakness Enumeration project supported by MITRE currently lists over 800 known types of software security weaknesses. With every new CWE type identified, the potential business risk stemming from inadequate security practices increases.
If companies want to ramp up their security efforts faster, it requires both contextual and scalable approaches working in tandem. In practice, that means structured workflows that prioritize cross-functional reviews and tooling that can dramatically expand security test coverage, ideally leveraging AI or machine learning to continuously improve.
For most companies, adopting a structured mitigation program means taking a transformational approach. Process change is never easy, but along the way, prioritizing code quality and knowledge sharing in your organization empowers teams to truly excel in all aspects of their development.
Patrick Londa is the digital marketing manager for Collaborator at SmartBear. With a background growing agile startups in the clean tech and digital health space, Patrick is now focused on software quality, process traceability, and peer review systems for companies in highly-regulated, high-impact sectors.
The nation's largest embedded systems conference is back with a new education program tailored to the needs of today's embedded systems professionals, connecting you to hundreds of software developers, hardware engineers, start-up visionaries, and industry pros across the space. Be inspired through hands-on training and education across five conference tracks. Plus, take part in technical tutorials delivered by top embedded systems professionals. Click here to register today!