Security is a top concern among your clients. According to CompTIA, businesses are investing in cyber insurance to protect their businesses, transitioning to zero trust frameworks, and enhancing measures to protect against supply chain attacks. In addition, they’re increasingly scrutinizing cybersecurity measures that solutions providers take.
Mark Dorsi, CISO of Netlify, shares his insights into how ISVs can strengthen software security and maintain the trust their clients have in their products,
Tell us about your security playbook.
Dorsi: I’m a security foundationalist, and as such, my playbook typically revolves around access controls, authentication, and authorization, network security, data protection, incident response, patch and vulnerability management, and secure development.
For software developers, the key takeaways from a foundational security playbook are to incorporate security into the software development lifecycle, use secure coding practices, and perform regular security testing. This helps minimize exposure time in a production environment. Security should not be an afterthought – it needs to be integrated into every stage of the software development process, from design to deployment.
What are the mistakes that software developers commonly make with security?
Dorsi: Common mistakes with security include using insecure coding practices, failing to validate user input, relying on weak passwords, and not keeping software up to date. These mistakes can lead to security vulnerabilities that can be exploited by attackers to gain unauthorized access to systems or data.
What are the underlying issues that lead to security vulnerabilities? Is it process-related? Culture-related?
Dorsi: The underlying issues can be process-related, culture-related, or both. For example, if an organization does not have a defined security process or does not prioritize security in its culture, developers may not receive the necessary resources or training to develop secure software. Similarly, if an organization has a culture that does not value security or incentivizes fast development over secure development, developers may prioritize speed over security.
It can be challenging for software developers to know or understand what their peers have done or are prioritizing, especially in large organizations or teams where developers work on different projects or applications. This can lead to a siloed approach to security, where developers focus on securing their individual components without considering the bigger picture. However, in today’s fast-paced and interconnected environment, it’s more important than ever to act like one team when it comes to security. Developers need the ability to collaborate and share knowledge to identify potential security risks and work together to address them.
How can developers overcome challenges and strengthen security?
Dorsi: Developers can use secure coding standards such as OWASP, CERT, and NIST, leverage automated security testing tools, conduct regular security audits, and ensure that security is incorporated into every aspect of the software development process. Developers can also stay up to date on the latest security threats and trends and implement appropriate security measures to mitigate these threats. Developers should receive ongoing training to ensure that they have the skills and knowledge to develop secure software.
One way to promote this collaborative approach to security is through the use of security tools and platforms that provide insights into the overall security posture of an organization. These tools can help developers understand what their peers have done, identify areas that require attention, and prioritize security tasks based on the overall risk profile. By using these tools, developers can become more integrated into the larger security team and work together to ensure that the organization’s systems and data are secure. Ultimately, a culture of shared responsibility and collaboration is crucial for effective security, and the right tools can help facilitate this approach.
What is your hope for the future of software development security?
Dorsi: Imagine a world where a developer can get instant feedback on the code they’re committing. This would include insights into how that code compares to code submitted by other developers in similar situations and what they need to do to secure it, as well as a likelihood score with respect to risk of rollback for the proposed changes. This world would be one where security is not an afterthought, but instead a core consideration at every stage of the software development lifecycle.
With real-time security analysis tools, developers can receive instant and detailed reports on potential security vulnerabilities and recommendations for remediation. This isn’t just about real-time feedback. It’s about real-time feedback with contextual benchmarking.
For example, a developer working on an e-commerce platform could receive instant feedback on their code as they commit it. The tool could flag potential vulnerabilities, such as cross-site scripting or SQL injection, and provide guidance on how to address them. The tool could also compare the developer’s code with similar code submitted by other developers, highlighting areas where the developer’s code may be less secure and suggesting improvements.
In this world, developers would be empowered to make more informed decisions about the security of their code, and organizations could be more confident that their software is stable and secure. By integrating security into the development process and providing developers with the tools they need to secure their code, we can create a world where security is not just a goal but a reality.