You have a tightly configured firewall and the best in the industry security appliances. Do you need to worry about the application code being secure as well?
The answer is yes. Even with secure firewalls and security appliances, if you are running applications with security vulnerabilities then you and your organization are susceptible to a range of attacks and breaches. SuprTEK, its Solution Engineering and Delivery (SE&D) unit, and SE&D’s Team ADEV are taking the issue of secure coding seriously. Senior technical staff members are gaining secure coding certifications and sharing their knowledge with development teams to ensure that secure coding practices are implemented across the board on all application development.
Why Achieve Secure Coding Certifications?
There are plenty of misconceptions, wrong information, and even urban legends when it comes to secure coding and what it means to have secure code. To break through the noise and get to a solid understanding of secure coding, it is important to build a knowledge base from a recognized and reputable certifier in the field.
Several SE&D senior technical staff have earned or are currently earning the GIAC Secure Software Programmer (GSSP) Certification for Java. The certification requires about 24 hours of online or classroom training and then passing a three hour exam. The training and exam covers the verified and demonstrated effective practices of writing and deploying secure code. The Global Information Assurance Certification (GIAC) entity is a well-known, reputable provider for a range of IT and software security certifications. GIAC states its “certifications are trusted by thousands of companies and government agencies, including the United States National Security Agency (NSA).”
“There is a lot misinformation about secure coding floating around the industry,” explained Charles Forsythe, an SE&D Solution Architect who recently gained the GSSP certification. “Going to a verified source of real and accurate information about secure coding will help you avoid critical mistakes.”
The Benefits of Secure Coding
Even with properly configured firewalls and security appliances, applications developed without following secure coding practices can be vulnerable. Browser tabs open to malicious sites can hijack the app’s communication – making a firewall think traffic is legit. The app can also be tricked into jumping into portions of the code beyond the current user’s permission, or the app can simply be shut down. The code in the application itself must prevent these types of breeches, as firewalls can not be relied on to thwart them.
The real benefit of secure coding goes to the old saying that an “ounce of prevention is worth a pound of cure.” Developing code that is not vulnerable to attacks means that data breeches and harmful actions are much less likely to happen. Not only can bad actors harm your organization by having access to your code and data and by halting operations, incidents have to be investigated then solutions have to be found and implemented – all at great cost. Plus, your organization’s reputation can be damaged when breeches become public or a customer using your code becomes a victim.
The stakes become even higher when the code is being installed and used by the Department of Defense and national security or military operations might be at risk. A small effort early on in code development can save extensive efforts and expense and even embarrassment later.
Implementing Secure Coding Practices
On Team ADEV, senior technical staff members with secure coding certifications work directly with scrum masters and senior developers to ensure they are fully trained and aware of secure coding practices. Scrum masters and senior developers then work closely with their Agile teams through daily communication and code peer reviews to make secure coding practices become second nature in the application development processes. Most staff developers have Security+ certifications, but moving forward the team hopes extend the number with secure coding certifications.
While tools like HP Fortify can be a good way to double check for vulnerabilities or identify low hanging fruit that can make an application more secure, truly secure code has it baked into the application during development on a daily basis.
If your organization is serious about secure coding, then it should be taking steps to have technical leaders gain secure coding certifications and consciously diffusing that knowledge throughout the organization’s developers. At SuprTEK, we value our customers and our customer’s needs, and we know that secure code is important to them. That is why we have made secure coding a priority.
Don Reed is a Senior Technical Writer and Project Support Specialist with the ADEV program. His background includes engineering and programing, project management, quality and business improvement, and business-technical communication. Don has a B.S. in Electrical Engineering and a M.A. in Communication from Saint Louis University.