Can we trust Software Developers to keep our data safe?
It’s not a secret that the infrastructure of the internet was built without security in mind. The dream was to connect people throughout the world, which has led to some of the most significant advancements in modern civilization such as our ability to communicate more effectively. The days of carrying phone numbers on a piece of paper are long gone and buying merchandise from your favorite store has never been easier. Unfortunately security was not the priority and as a consequence we have seen mass data breaches by some of the most trusted brands in the world. Recently we have seen our communities become more security conscious but advancements to secure the internet have not matched the speed at which new products are released online. Research and development is in progress and efforts to create a more secure internet are underway (e.g. QUIC). Regardless, we must heighten expectations for Application Developers who maintain and build online products. They are directly responsible for how our data is collected, stored, retrieved, edited, and protected.
When filling out forms online, most people never consider where the data is stored, who is responsible for it and how long it will be stored. We recently saw world governments launch campaigns to restructure the way this information is handled and we have a long way to go before we can consider ourselves “safe”. Even with data governance such as GDPR, we find ourselves at the mercy of Application Developers. Laws regarding data are only enforced under specific circumstances and even then it is the Application Developers we must rely on to protect our data. Meanwhile, hackers ranging from script kiddies to government funded outfits are hammering servers till they find an opening and expose our most personal information. Can we trust the Application Developers we unknowingly rely on to protect our data?
I am a Software Engineering Manager and Ethical Hacker in St. Louis, MO. I have been in the software and technology industry for over a decade. I have watched the industry change from being highly critical of candidates new in their careers to willing to hire anyone who can be trained. The issue I have seen with training new Developers is the lack of effort into teaching them how to secure a product. Majority of the time we see new Developers taught just enough to complete development tasks on a team. Nothing close to what someone with a Computer Science degree learns and even less than what someone who attends a two week ethical hacking boot-camp learns. Newly trained candidates learn things like how to make a form, submit the form and handle some data. Anything to make the product functional but leaving out the lower level skills as well as how to avoid implementing vulnerabilities into a code base. Anything to get the job done but nothing to make sure the person interacting with the product will be safe.
Unfortunately, Application Developers and Software Engineers are not formally trained in Application Security. They do not necessarily have to take interest in security and not many would say it is an expertise they care to learn. If Developers are not expected to learn Application Security, how can we trust any application or digital product with our own personal data?
CISO Magazine predicts cyber crime will cost the world over 6 trillion dollars by 2021. That means we can expect many people to be victimized by cyber crime because they decided to use an application on the internet that seemed harmless. The worst part is people will most likely be victimized because of a website they interacted with some time in the past and not because of something they do in the future.
To battle the growing cyber crime statistics we must expect more out of the Developers building and maintaining the internet:
- Developers need to be formally trained to build secure products
- Understand common vulnerabilities and how to avoid them in the software they create
- Keep track of OWASP top 10
- Build vulnerability testing into the quality assurance process
- Build threat models
- Create disaster recovery plans
- Be much more critical of their own work.
Another huge step in the right direction will be cleaning up data stored on old servers. Removing it when it’s not needed or otherwise going back to make sure it’s secured. Old products often store data in ways that are no longer considered secure because business stakeholders prioritize new work over the necessary upkeep of legacy products. Developers are often overwhelmed with these priorities and do not consider the impact of some of the outdated products till they have been compromised. That means securing old products will not be prioritized till somebody is victimized. The three most common reasons I repeatedly see this situation occur are prioritizing new feature development, budget and lack of expertise. If we want to create a safe internet, the way these products and their data are maintained must drastically change.
We are working with our engineering teams to improve our expertise in Application Security. As leaders in the technology industry, our clients count on our expertise to keep their users safe. We are on the front lines of the cyber war and lead by expecting more from our teams. We are changing the way we think about Application Security on a Software Engineering team by:
- Studying ethical hacking
- Increasing the number of Certified Ethical Hackers among our ranks
- Implementing vulnerability testing as part of our testing process
- Keeping up to date with the most relevant vulnerabilities
- Building proof of concepts to show active vulnerabilities in a product
- Completing capture the flag challenges
We love our clients and will continue to expect more from our team.