A decade ago, interactions between developers and security professionals were minimal. Development teams would hand their software to security teams, and security teams would return with a very structured set of handoffs for developers. That’s not realistic for the way we work today, particularly with fast-paced software development projects such as mobile applications.
The speed at which mobile applications are developed requires that much of the security responsibility shifts to the developer’s plate. However, especially at larger organizations, security, compliance and risk triggers still drive development requirements.
When it comes down to it, who is responsible for security, anyway? According to GitLab's survey of over 4,000 software professionals, 49% of security professionals struggle to get developers to make remediation of vulnerabilities a priority. Worse still, 68% of security professionals feel fewer than half of developers can spot security vulnerabilities later in the life cycle. On the developer’s side, nearly 70% said that they’re expected to write secure code, even though they get little guidance or help.
When developers and security professionals are at such odds, how do they find ways to communicate better together? Here are three tips to get started.
While everyone agrees that the best way to ensure an application is secure is to build it that way from the beginning, you might be shocked to hear that zero of the top five international schools for computer science require students to complete secure coding or secure application design courses as part of their graduation requirements. If developers aren’t properly trained, it can be difficult – if not impossible – to understand and deliver on security’s requirements.
That’s why on-the-job secure coding training is crucial for mobile app developers. Secure coding helps teams build security into the development process and reinforce it through the lifecycle of a mobile application (otherwise known as a secure software development lifecycle, or SSDLC). These skills also help to bridge the gap between security teams and developers, where there’s often a shared set of responsibilities to execute on (see more on that topic in the next section).
To get started, there are many publicly available resources and best practices for teams to use for secure coding training, including Carnegie Mellon’s CERT’s secure coding standards.
The rise of fast, iterative mobile application development lifecycles has led to a lot of blame-shifting between development and security teams on exactly who is responsible for a secure final product, as evidenced by the GitLab survey cited above. The answer should be: both!
A culture of shared responsibility means developers and security professionals should collaborate at multiple points in the SSDLC – not just when something goes wrong. For example, security should be a part of the requirements development process, and security-trained developers should be able to deliver on those requirements, by baking security into their code. As the climate of business and compliance risks change, security and development teams should regularly meet on how to address new requirements for the mobile apps they deliver.
If teams collaborate in this way, when (and if) there is a security incident, they can act fast to resolve it instead of deciding who is to blame.
The more security teams and developers can integrate security into their day-to-day work processes, the more likely that security concerns are addressed proactively rather than reactively, reducing both the cost and impact of security threats. This is especially true given the shortage of security talent in the workforce today. Globally, open security roles surpassed 4 million in late 2019. Luckily, there are many tools on the market that can help automate some easily repeatable security processes into the development lifecycle, often through continuous integration and continuous delivery (CI/CD) tools.
Application hardening is another area where specialized security solutions can help. Tools from organizations like Guardsquare can help teams apply a combination of code hardening techniques and protections at runtime. Code hardening is an effective way of protecting your APKs and SDKs for Android and iOS from reverse engineering and hacking. Hardened code is resistant to both automated and manual analysis, meaning that most of the tools attackers use are ineffective.
The best way to alleviate any tension between developers and security professionals is to make mobile application security a priority from the outset, not just a knee-jerk response to an incident. If the mandate from security comes from the top, it becomes imperative that both teams communicate and collaborate well together. That way, developers understand how to build security into their code, and security teams can focus on reducing the organization’s overall risk.