Why is the developer a key component within the development process?
Observing the pace of attacks we have been following leads us to understand that something very fast must be done to protect applications efficiently. It is natural for many companies that the first thought is to create and structure security teams, providing these teams with tools and techniques. But, at the end of the day, who really should have the focus to mitigate such vulnerabilities? Many may have thought of the developer, so what would be the developer’s role in application security?
At the end of the day, I strongly believe that what we have to do is provide the dev with the necessary knowledge so that he can build secure codes. This happens daily in a company that has its business supported by applications.
Likewise, before talking a little about the role of the dev in the context of application security and how training and education are essential, let’s first understand the context we have today and try to put in a few words what we see all days on the market.
The application security market
For commercial reasons, what we find most in the market are companies that sell their products as a silver bullet for application security, bringing the illusion that just using this component solves all the problems of development teams and safety. We know that these tools are components of a significant process and, therefore, need to work with several other features to deliver what is expected at the end of the process, which is a safer application.
Here in this article, I really want to shed some light on one of the most interesting, to me, projects of OWASP. I want to talk about SAMM and how it can help you understand that application security is a process. It is much bigger than using tools. Secondly, knowing that the great differential of companies with more security understands all your processes and how dev can be one of the most important points of the whole process.
Understanding the OWASP SAMM
First, let’s summarize what SAMM is, and for that, I will put my definition here, but based on the OWASP definition itself.
“SAMM, which we have already discussed in several articles here on our blog, is a set of practices agnostic that present a structure of processes that, when followed, can help in the design, construction, and delivery of safer applications.”
With this definition, I hope to demonstrate that even if we have a great desire to only put tools in our development process, other aspects must be addressed.
So we also have to think and put the human factor at the center of this process because, as we said, at the end of the day, it’s the dev who generates the code, as well a person who uses the code and also a person who tries to compromise this same code. That is, people must be understood as the main focus of the process.
The developer’s role
Focusing now on the developer’s role, he is a key figure in the application security process, as he is responsible for writing the code that will compose the application and being the main responsible for mitigating the vulnerabilities that may arise during the development process.
On the other hand, the dev often needs the necessary training to understand how they can write secure code. He needs to gain the technical knowledge to apply the best security practices during the development process. That’s where the importance of training and education for developers comes in. We’ve already talked about it in other articles here on the Conviso blog. It’s worth looking for these other articles.
To remind you, when we talk about SAMM training and guides, the focus is on providing your teams with the necessary knowledge that can help in the process of planning, designing, coding, and delivering more secure applications. This should not be understood as a process of greater or lesser importance than the others listed in the SAMM, they are all part of a larger context. In addition, the developer must be aware that he is one of the main ones responsible for ensuring the application’s security through the implementation of safe programming practices, such as validation of data input, use of cryptography, access control, and verification of known vulnerabilities.
Another interesting SAMM practice is “Secure Code Review” whose purpose is to ensure that code written by developers meets certain security standards. This practice is extremely important, as many vulnerabilities can be found during code review, thus reducing the likelihood of security flaws in the application. Let’s remember the earlier in the development process the vulnerability is identified, the better the result at the end of the process. As we said, all SAMM practices have their importance within the Secure Development Program as a whole, but if we focus on the objective of this article, I believe that training practices and manual testing within the process can show even more the importance that the developer has to build a more secure application.
Application security as an ongoing process
Finally, I think it is important to highlight that application security is an ongoing process that must be constantly reviewed and updated to ensure that vulnerabilities are identified and corrected as quickly as possible. And the developer is a key player in this process, as he is the one closest to the code and has the greatest capacity to understand and implement the necessary security practices.
In short, application security should be treated as an ongoing process that involves the entire development team, not just security teams. The developer must be aware of his responsibility in this process and constantly seek training and adopt good security practices to ensure that the application delivered to the end user is safe and reliable. The adoption of secure frameworks and libraries, the performance of automated tests, and configuration management are also important practices that can contribute to application security.
Therefore, with SAMM and the awareness of everyone involved in the development process, we can create safer and more reliable applications for our users, protecting our company from possible attacks and loss of sensitive data.