The role software developers play in the cybersecurity space
Cybersecurity is the intentional practice of securing networks, data, and devices from unauthorized users. With the growing increase in cyberattacks and security vulnerabilities (most recently, the Log4j vulnerability), it’s becoming increasingly important for developers to understand how to secure applications and think like cybercriminals to prevent these attacks from severely harming customers.
As software developers, we have a unique opportunity to be one of the first lines of defense against cyberattacks. The software development lifecycle focuses on implementing core functionality in software and applications; code quality and security is often an afterthought. However, our understanding of core cybersecurity principles can make or break the applications that we build.
Since 2003, the Open Web Application Security Project (OWASP) has highlighted the 10 most critical security risks to web applications via OWASP Top 10 list. This is “globally recognized by developers as the first step towards more secure coding.” However, some of the same vulnerabilities appear year over year with little to no improvements on the quality of software code being deployed to production environments.
Organizations deem it unacceptable for software teams to knowingly ship products with functional defects. It is time for organizations to also find it unacceptable to ship products with security defects. Security starts and ends with us – the developers. Unless a software team intentionally focuses on code quality and security, vulnerabilities will find their way into shipped products, and cybercriminals will exploit those vulnerabilities.
As developers, we can help prevent cyberattacks by proactively implementing security controls in our code. We can accomplish this in the following ways:
- Take the time to resolve high-severity alerts by keeping packages and dependencies updated. We can use tools like Renovate and WhiteSource to automatically scan for updates.
- Identify and understand the typical vulnerabilities for our tech stacks. We can use a tool such as the CVE to search for vulnerabilities in the software that we use.
- Test for what our code is and is not meant to do.
- Upskill by taking security courses on platforms such as Udemy. For example, this course teaches cybersecurity for developers.
- Understand how to perform security testing such as vulnerability scanning and penetration tests. There are many tools available to automate this.
- Review the OWASP Top 10 list to understand the most common security attacks and how to prevent them.
- At the very least, be familiar with the following three attacks:
- Broken access control
- Cryptographic failures
- Injection attacks
We control the security of the software and applications we build with code. Understanding cybersecurity is important because it protects the users and intellectual property of the companies that we work for.
Come learn security with me in the Lacework Community, where I’ll cover fundamental security topics for software developers.