Do developers really care about security?

InfoWorld talks with GitHub's Jamesha Fisher about the cultural shifts necessary for baking security early into the devops process

Over the years, developers have been dogged by a reputation for placing security as an afterthought. Get a slick, full-featured experience up and running fast, and figure out how to deal with whatever holes crop up once QA gets its hands on the code.

Organizations may have had a significant hand in fostering developers' laissez-faire attitude toward security by siloing teams in separate domains and giving development, QA, ops, and security operations isolated opportunities to levy their expertise on the code.

But with security and privacy increasingly top of mind among users and with companies moving more toward a devops approach to software development, developers need to shed that reputation and consider security concerns as an integral part of the development process.

To shed light on how developers' attitudes toward security are changing, I sat down with Jamesha Fisher, security operations engineer at GitHub, at Black Hat to ask her point blank: Do developers care about security?

Sometimes it still seems like they don't. A distressingly large number of web applications still have SQL injection flaws. The discussion around the deserialization flaw in a Java library a little less than a year ago showed that many developers still aren't sanitizing all inputs to their applications. That's only two out of a long list of common security mistakes developers make.

That's not to say there is malicious intent. Anything created by humans, by definition, will be imperfect, and software is no different. No developer wants the code segment he or she produces to contain the next Stagefright or Heartbleed. It's a question of knowledge, skills, mentality, and culture, as Fisher pointed out in our discussion. And with security and privacy becomes a daily headline concern, developers are beginning to ask the right questions.

"So many of them are increasingly getting more focused on security," Fisher says, pointing to questions they ask early about authentication and how to store data securely, when in years past this was left to secops. Developers are looking at how their peers are building similar applications and taking note of the baseline expectations.

Security isn't about vulnerabilities alone, Fisher points out. Availability is a form of security, too, she says. That includes both user traffic as well as malicious intent. With data breaches exposing user data, there are now more questions around data storage, especially in securing data so thieves can't easily access or steal it, and considering, from the get-go, how to store data so that it remains protected in case of theft.

"A lot of teams going in are [saying], 'We need to think about availability; we need to think about app security, having it baked in, or at least having the basic security stuff down,'" Fisher says.

For many startups, security concerns have become a rite of passage. As they get past the initial hustle and start to attract interest from enterprises, many are faced with the prospect of making sure their product and infrastructure fits what enterprises are looking for. In many cases, this means both hardened security and compliance. Software shops at this stage of maturation are beginning to realize the importance of documenting software development processes and explaining how they handle software updates, Fisher says.

Security is also playing a role in the rising use of devops, as security teams work with developers to get the fixes out faster and better. For this to gel and for code to be secure, organizations need to undergo a cultural shift, starting from the highest levels of management down, so that security can be folded into the devops pipeline, Fisher says.

But for those who think developers don't care about security, Fisher is adamant. "That is definitely not the case."

Join the PC World newsletter!

Error: Please check your email address.

Our Back to Business guide highlights the best products for you to boost your productivity at home, on the road, at the office, or in the classroom.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Fahmida Y. Rashid

InfoWorld
Show Comments

Most Popular Reviews

Latest News Articles

Resources

PCW Evaluation Team

Azadeh Williams

HP OfficeJet Pro 8730

A smarter way to print for busy small business owners, combining speedy printing with scanning and copying, making it easier to produce high quality documents and images at a touch of a button.

Andrew Grant

HP OfficeJet Pro 8730

I've had a multifunction printer in the office going on 10 years now. It was a neat bit of kit back in the day -- print, copy, scan, fax -- when printing over WiFi felt a bit like magic. It’s seen better days though and an upgrade’s well overdue. This HP OfficeJet Pro 8730 looks like it ticks all the same boxes: print, copy, scan, and fax. (Really? Does anyone fax anything any more? I guess it's good to know the facility’s there, just in case.) Printing over WiFi is more-or- less standard these days.

Ed Dawson

HP OfficeJet Pro 8730

As a freelance writer who is always on the go, I like my technology to be both efficient and effective so I can do my job well. The HP OfficeJet Pro 8730 Inkjet Printer ticks all the boxes in terms of form factor, performance and user interface.

Michael Hargreaves

Windows 10 for Business / Dell XPS 13

I’d happily recommend this touchscreen laptop and Windows 10 as a great way to get serious work done at a desk or on the road.

Aysha Strobbe

Windows 10 / HP Spectre x360

Ultimately, I think the Windows 10 environment is excellent for me as it caters for so many different uses. The inclusion of the Xbox app is also great for when you need some downtime too!

Mark Escubio

Windows 10 / Lenovo Yoga 910

For me, the Xbox Play Anywhere is a great new feature as it allows you to play your current Xbox games with higher resolutions and better graphics without forking out extra cash for another copy. Although available titles are still scarce, but I’m sure it will grow in time.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?