How can a Programmer contribute to Security?
Hackers and programmers are not poles apart. Given the nature of their skill, they are cut from the same cloth. The tenacity that one needs to be a good programmer is the same set of skills that a hacker possesses (whether they are a black hat or white-hat hacker).
The programmer, however, follows the rules and regulations to build a product. A hacker uses his/her technical skills to obtain unauthorized access to data. Some of them violate this access and take advantage of the vulnerabilities. Some find these vulnerabilities and let the organizations know.
Programmers and hackers require immense tenacity and patience to do what they do effectively. While this is not a generalization, but most programmers think in terms of functionality, rather than security. A study showed how programmers might take the easy way out and not even implement password security as well. This is not a conscious decision, but this is simply how most it has been carried out for a long time now. Programmers build something, then QA tests to test the efficacy, secure programming has not been a thorough mandatory practice.
A good programmers characteristics for security:
A good programmer is a continuous learner:-
They spend hours understanding a problem, designing solutions, and then coding it. This is a constant process of learning and relearning what they know, and improving upon it.
Security perspective:- Programmers aren’t inherently trained on security best practices. These aren’t the main agendas of the universities they graduate from. This is something they have to take up as a responsibility on the go, learn from the live examples, and implement their own set of best practices. They aren’t taught secure programming from the get-go but are asked to focus on functionality instead. The vulnerabilities found in code are exploited by hackers, almost immediately. They could automate the attack using malware. But, companies take 100-120 days to release a patch to their systems. This gap is enough to exploit the vulnerability. This should be reason enough to make security a standalone priority.
Attention to detail:–
Programmers decipher and look into the countless number of bugs daily. They get into the nitty-gritty details of the code. They do so to execute the code’s functionality seamlessly.
Security perspective: With programmers being that attentive with details, it is only a matter of perspective for them to think in terms of security. While they write the code, programmers must think of how every detail may or may not affect security. They must think out of the box, beyond their perception of their code. After all, hackers are among the most creative people out there, to meet them head-on, a programmer must think alike too. In what way is this code leaving out a vulnerability? In which way is the password stored here can be stolen?
Questions like these must be a part of their coding practice.
Their ability to think about the user:-
While coding, programmers think about making the most feasible solution for the user. The agenda is to tend to the user’s needs in the most convenient way.
Security perspective: Security is a big concern for the user. The traffic that comes onto a code is not just user data but also malicious data. DDoS attacks are rampant today, and this asserts the need to protect the user’s data. The solution must be easy for the user to use, at the same time, it mustn’t be easy for the hacker to use.
Where is the data stored?
How well is the password-protected?
Will the password be encrypted? If so, how?
If not, will it be hashed? If so, will it also be salted?
These questions must be answered by the programmer after a series of analysis based on the use case at hand.
Related read: Password hashing: Add a little salt and pepper
Deciding the right programming language:-
A seasoned programmer knows that every programming language has its pros and cons. The decision to choose a particular language is based on the software’s need. The project at hand and its necessity is the basis for a good programmer’s choice of language and framework.
Security perspective: A good programmer should consider the security aspects in every language as well. A WhiteSource report stated how C language accounted for 47% of all open-source vulnerabilities. It also stated how the largest share of vulnerabilities in 2018 was in Linux Operating Software. Although the security of the code depends on the coder, it is good to be aware of the security loophole possibilities with each language and the scope of correction as well. A language will always be primarily chosen based on the need for the task, but this does not mean security should be neglected either.
Best security practices for a programmer:
Veracode’s State of Software Security Developer Guide, it showed how 70% of the time, applications fail the initial scan against the OWAS Top 10 standard. Along with that, the vulnerabilities for SQL injections have stayed consistent all this while, while the threat landscape is only increasing. This shows how there is an evident dearth of training for secure programming in the programmer’s initial education.
While we wait for that to happen, here are some best practices for programmers to follow:
- Vet the open-source code as well as you can. A lot of malware has taken over products because of its initial presence in the open-source software. Programmers should scan these codes thoroughly before they integrate it into their own.
- Look up resources like the OWAS cheat sheet. This will give them an understanding of how to secure a password while designing a code.
- A program should be written, assuming that it trusts nothing, much like the Zero-Trust policy that should be imbibed in an organization.
- The code must be separated between what is sensitive and what isn’t. This technique is called sandboxing, which is usually in practice today in JAVA but can also be used across languages.
- Since programming has been around for a long time now, there are certain dos and don’ts already available. Certain design patterns and functions that are prone to vulnerabilities must be avoided. Programmers should educate themselves with this information.
- Programmers should demand a development environment from their organization that notifies them of security issues in their code.
Programmers aren’t ignoring security. They have been conditioned to think about functionality first. This is changing with the changing awareness with programmers. Now, there is more information out there on how to code a secure way.
Have a conversation with your programmer about security. It will take your organizational security a long way.
If you’re a programmer, it’s just about shifting your perspective. Your skills are already there!