Do developers really care about security?

InfoWorld talks with GitHub's Jamesha Fisher about the cultural shifts necessary for baking security early into the devops process

Over the years, developers have been dogged by a reputation for placing security as an afterthought. Get a slick, full-featured experience up and running fast, and figure out how to deal with whatever holes crop up once QA gets its hands on the code.

Organizations may have had a significant hand in fostering developers' laissez-faire attitude toward security by siloing teams in separate domains and giving development, QA, ops, and security operations isolated opportunities to levy their expertise on the code.

But with security and privacy increasingly top of mind among users and with companies moving more toward a devops approach to software development, developers need to shed that reputation and consider security concerns as an integral part of the development process.

To shed light on how developers' attitudes toward security are changing, I sat down with Jamesha Fisher, security operations engineer at GitHub, at Black Hat to ask her point blank: Do developers care about security?

Sometimes it still seems like they don't. A distressingly large number of web applications still have SQL injection flaws. The discussion around the deserialization flaw in a Java library a little less than a year ago showed that many developers still aren't sanitizing all inputs to their applications. That's only two out of a long list of common security mistakes developers make.

That's not to say there is malicious intent. Anything created by humans, by definition, will be imperfect, and software is no different. No developer wants the code segment he or she produces to contain the next Stagefright or Heartbleed. It's a question of knowledge, skills, mentality, and culture, as Fisher pointed out in our discussion. And with security and privacy becomes a daily headline concern, developers are beginning to ask the right questions.

"So many of them are increasingly getting more focused on security," Fisher says, pointing to questions they ask early about authentication and how to store data securely, when in years past this was left to secops. Developers are looking at how their peers are building similar applications and taking note of the baseline expectations.

Security isn't about vulnerabilities alone, Fisher points out. Availability is a form of security, too, she says. That includes both user traffic as well as malicious intent. With data breaches exposing user data, there are now more questions around data storage, especially in securing data so thieves can't easily access or steal it, and considering, from the get-go, how to store data so that it remains protected in case of theft.

"A lot of teams going in are [saying], 'We need to think about availability; we need to think about app security, having it baked in, or at least having the basic security stuff down,'" Fisher says.

For many startups, security concerns have become a rite of passage. As they get past the initial hustle and start to attract interest from enterprises, many are faced with the prospect of making sure their product and infrastructure fits what enterprises are looking for. In many cases, this means both hardened security and compliance. Software shops at this stage of maturation are beginning to realize the importance of documenting software development processes and explaining how they handle software updates, Fisher says.

Security is also playing a role in the rising use of devops, as security teams work with developers to get the fixes out faster and better. For this to gel and for code to be secure, organizations need to undergo a cultural shift, starting from the highest levels of management down, so that security can be folded into the devops pipeline, Fisher says.

But for those who think developers don't care about security, Fisher is adamant. "That is definitely not the case."

Join the newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Fahmida Y. Rashid

InfoWorld
Show Comments

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Sarah Ieroianni

Brother QL-820NWB Professional Label Printer

The print quality also does not disappoint, it’s clear, bold, doesn’t smudge and the text is perfectly sized.

Ratchada Dunn

Sharp PN-40TC1 Huddle Board

The Huddle Board’s built in program; Sharp Touch Viewing software allows us to easily manipulate and edit our documents (jpegs and PDFs) all at the same time on the dashboard.

George Khoury

Sharp PN-40TC1 Huddle Board

The biggest perks for me would be that it comes with easy to use and comprehensive programs that make the collaboration process a whole lot more intuitive and organic

David Coyle

Brother PocketJet PJ-773 A4 Portable Thermal Printer

I rate the printer as a 5 out of 5 stars as it has been able to fit seamlessly into my busy and mobile lifestyle.

Kurt Hegetschweiler

Brother PocketJet PJ-773 A4 Portable Thermal Printer

It’s perfect for mobile workers. Just take it out — it’s small enough to sit anywhere — turn it on, load a sheet of paper, and start printing.

Matthew Stivala

HP OfficeJet 250 Mobile Printer

The HP OfficeJet 250 Mobile Printer is a great device that fits perfectly into my fast paced and mobile lifestyle. My first impression of the printer itself was how incredibly compact and sleek the device was.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?