Secure code and DevOps can be achieved if developers work closer to the security team.
Speaking in the keynote session ‘Securing the code – building resilience, security and agility into coding, design and development’ at Infosecurity Europe, a panel led by Ovum principal analyst, security Andy Kellett asked that with the amount of code being generated, why are the same old vulnerabilities still present?
Jon Townsend, technology and information security director at the National Trust, said that there are old problems to deal with, and the sheer volume of code using open source libraries and product integration and APIs is causing this, and developers working on code can solve a lot of headaches further down the line.
Mieke Kooji, security director at The Trainline, admitted that there a lot of things that we know we should have tried to stop for many years, and developers should know about this and have been trained over and over ‘and not to a quality we would like and the old school approach of thorough training just doesn’t work’.
She said: “The cycle of testing and fixing slows down, and also to be more agile with the developer community means having product builders work alongside. A lot of developers are in this for more than security, and security needs to get in the way of what they are doing to make this right in the long term.”
Commenting, Lee Barney, M&S head of information security agreed with this point, saying we need to ‘wake up as an industry’ as with new NIST regulation and secure code guidelines, as the mantra is that developers need to continuously train to meet what security demands on how to code securely.
He said: “If we code securely, then the time to test will dissipate and smaller things will be easy to fix. We need to throw away the concept of how to do security, and reinvent how to work in an agile manner.”
Adrian Asher, CISO of the London Stock Exchange, said that it has never been easier to write secure code with ‘static analytics, awareness training and tools’, but we need to couple with developers and realize that security is there to enable, but we are not doing a good enough job to just ‘enable developers’.
“Developers want to write code and want to make it easier to do right things and punish wrong things, so they naturally move to the right things,” he said.
“We think information security is for securing systems. We are not going to do that, we use tools and technology and a little bit of DevOps.”
Townsend agreed, saying that with a DevOps model, everyone has got to adopt a security posture in what they do.