Back in the
day, when I was a graduate student at BGSU, I also worked full time for the
university in their computer services department. While my job was primarily involved with
dealing with faculty, staff, and students about which IBM or Apple computer
they should buy, I also dealt a lot on the hardware side as well. But the one thing that I was lacking was a
knowledge of software.
But that
problem was soon more or less solved when met a fellow worker there. He became
one of my best friends until his untimely death. His name was Dr. Morgan Deters, one of the
sharpest and most intelligent people I have ever known.
He introduced
me to what is known as Open-Source Software, especially in the way of
Linux. Although I did not get all of
what he was saying (after all, he was a computer scientist), I did get that OSS
has certain benefits over the Closed Source Platforms, such as Windows.
For example,
I learned that it was free to use and distribute, and licensing was not an
issue. Also, you could collaborate with
other people around the world in case you needed help with the coding. Well fast forward from back then, 1999 to the
present, which is almost 2025. Today, we
are seeing the explosion of OSS being used everywhere, especially when it comes
to creating mobile apps and web-based applications.
But because
of this, security has been very much lacking.
Probably the best example of this is the use of APIs. You may be wondering what it is, but to keep
things simple, it is the bridge between the backend (such as the database) and
the front end (which is the Graphical User Interface [GUI]).
If one were
to try to develop this kind of code on their own, it would take a long time to
accomplish. So the idea of the API is to
have some baseline source code in it, so that the software developer can tweak
it to their own requirements. The
primary benefit of this is that of time savings, especially when a project must
be delivered to a customer.
But because
of the Cyber Threat Landscape of today, software developers are under the gun
to make their source code as secure as possible. But even with this, it is not done on a
regular basis, either because they simply do not understand what Cybersecurity all
is about, or simply they just do not care.
Well, if you
lead a team of software developers, here are some tips that you can employ to
make sure that security is of topmost priority:
1)
Effective
Communications:
No
matter how large or small your team might be, instill an environment where open
communications is fostered. Let your
software developers talk freely with one another about the separate modules
that they are working on. By taking this
effort, you will also be eliminating silos in which software developers feel
comfortable working in.
2)
Have
Documentation:
Even
though software developers hate writing (at least from the ones I know of),
keeping detailed notes as to how the source code is being developed, and most
importantly tested is of paramount importance.
That way, if an issue ever develops, you will have a record that you can
fall back on. In a worst-case scenario,
you can always hire a technical writer who has experience in APIs to collaborate
with your team to create this documentation.
3)
Have
Ownership:
By
this, hold each software developer both accountable and responsible for each
source code module that they create. In
this regard, make sure that they are checking off the list when it comes to
security stuff that they need to be testing for, and audit all of this. If they fail to comply with all of this, then
you need to ask them some serious questions as to why items were ignored.
4)
Be
Initiative-taking:
Although
this can be very much a subjective term in how you define it, when it comes to
your software development team and using OSS, you must instill a sense amongst
them that security is of topmost importance.
But as I have alluded to before, they simply may not understand just how
Cybersecurity is. One of the best ways
to resolve this is to have training sessions to teach them about it. Here are some topics to include:
Ø
Understanding
the differences between weakness, vulnerability, and exploitation.
Ø
Explaining
what a threat variant is, and the amount of damage that they cause, especially
from a monetary standpoint.
Ø
Teach
about the tools that they can use to find the holes in their source code, such
as Penetration Testing and Threat Hunting.
Ø
Also
teach them about the oldest threat variants and how they are being used today,
such as Phishing, SQL Injection Attacks, Trojan Horses, etc.
Ø
Explain
to your team the Cyber Risks that each kind of programming language brings to
the table.
My
Thoughts on This:
Some other,
more technical ways in which you can make your software development team
maintain a strong level of “Cyber Hygiene” as they use their OSS platforms and
create the source code include:
Ø
Implement
a DevSecOps Team: This is an acronym
that stands for “Development, Security, and Operations”. You are taking members from each of these
respective areas to make sure that the source code and APIs are as secure as
possible before final delivery to the customer.
One of the greatest benefits of taking this kind of approach is that
there will be more sets of eyes looking at the modules to make sure that the
software development team is fully complying with the security requirements.
Ø
Teach
your software developers how the customer will use the final product, and the
risks they face in case a security breach occurs because of a flaw in the
application that they have developed.
This is also called “Contextual Awareness”, and it can go a long way in
terms of the huge risks that a threat variant can carry.
Ø
Consider
using Generative AI as another means to check for the security of the source
code. While this should not be relied on
in its entirety, it can help with the automation of the more routine and
mundane tasks that the software development team may face.
One of the
major weaknesses in the source code as it is being developed, is that
“Backdoors” are often left behind by the software developer. This is a point of entry for the developer to
get into to run the needed Quality Assurance (QA) checks. Many times, these are often forgotten about,
and this leaves an extremely easy spot for the Cyberattacker to sneak into and
stay in covertly for extended periods of time.
These also need to be checked.