Why security must be baked into the app development process

6 Apr 2018

Security should be a key ingredient in any app development process. Image: Leonova Iuliia/Shutterstock

App development is a multilayered business, but security should be the linchpin of any project.

From monitoring public transport times to answering urgent emails, applications are a permanent fixture in the lives of many.

The development cycle of apps can be frenetic but, even in a fast-paced agile environment, a solid DevOps strategy combined with baked-in security should be the foundation the app is built on.

Future Human

Craig Hinkley, CEO of application security (appsec) firm WhiteHat Security, spoke to Siliconrepublic.com about the importance of educating developers on security.

For Hinkley, the goal is making appsec “part of the DNA of a developer”.

‘A lot of security teams and security companies have failed the developers. They have failed to educate, train and teach developers what secure code is’

Can you give a brief history as to the foundation and trajectory of WhiteHat Security?

We believe in a world where everyone lives a safe digital life, and have been delivering a full suite of application security services through the WhiteHat Application Security Platform (delivered via SaaS) to achieve this.

We’re the only application security vendor with a threat research centre (TRC) of more than 150 security engineers. They are an integral part of all WhiteHat Application Security Platform services, verifying vulnerabilities to remove false positives, providing remediation guidance, and actively helping WhiteHat customers manage their appsec programs and risk posture. TRC experts have evaluated and secured more than 50,000 applications and detected almost 95m attack vectors for WhiteHat’s 800-plus customers.

How important is training developers in terms of the WhiteHat ethos?

I’ve heard other security companies blaming developers for insecure applications. I often hear my peer group in the industry say, ‘Developers write bad code; they don’t know what they are doing.’

That is wrong. Plain and simple, wrong. Developers come to work every day to help their companies deliver new features, new apps for the customer, for the market.

A lot of security teams and security companies have failed the developers. They have failed to educate, train and teach developers what secure development, secure code, is and looks like.

Tie this back to our vision of a world where everyone lives a safe digital life and apps being at the centre of digital life, then it’s critical that the developers building and assembling those apps make them secure from the start.

Developers can’t do this without understanding how. Security knowledge needs to extend beyond the security team to the development organisation, and we’re extremely well equipped to address this challenge given our many years leading the application security market. We realise that for security to be successful with developers, we as a security industry need to serve the developers, help the developers understand security from their perspective, not a security perspective.

Training is so much a part of our company ethos that we decided to develop and offer a training and certification programme for developers, and to provide it for free so that there were no barriers to participation.

We launched the WhiteHat Certified Secure Developer programme last March and in its first go-round, had more than 3,500 people participants and more than 500 got certified. The programme, which consists of a series of training webinars, an e-learning module for developers and a certification test, is still available online. The certification test has a 15pc pass rate, making it a real and meaningful programme and certification.

Do you feel that organisations of all sizes are waking up to the importance of security within DevOps?

Our digital economy allows companies of all sizes to compete for the same market, same customers. That is powerful. Speed is critical to bring new offerings to the digital marketplace, and it is reducing the time to market that is driving companies of all sizes to increase the speed of development – Waterfall, Fast Waterfall, Niagara Falls, DevOps or Agile – increasing the speed of turning the wheel between development and production. Breaches are highlighting that security is a major business risk in the digital economy where apps are the business.

With that backdrop, yes, companies of all sizes are realising that security has to be part of their development process.

DevOps is not a new concept. Practically all industries are adopting it now, and I’d go so far as to say organisations of all sizes are adopting it now. But it’s on us – WhiteHat and the security industry in general – to do a great job educating the market that security can’t be a siloed function any more. It must be integrated into DevOps to create DevSecOps/DevOpsSec/SecDevOps – whatever combination.

The ideal state is when we have truly been successful in making application security part of development DNA. When the ‘Sec’ in DevSecOps is silent. When security has become a measurement of software quality, the same way features, functions and performance are measures of today’s software quality.

How does WhiteHat Learning Labs work?

WhiteHat Learning Labs is an online, central repository for application security knowledge, resources and training for secure DevOps education, to enhance the skills and understanding of both information security and development teams. We launched WhiteHat Learning Labs last year in conjunction with National Cyber Security Awareness Month here in the US (October).

Our TRC team has collected and analysed more application vulnerability data than any other organisation in the world.

Ellen Tannam was a journalist with Silicon Republic, covering all manner of business and tech subjects