What can toy building blocks teach developers about security best practices?  

Article by Maty Siman, founder, and CTO, Checkmarx

Software development as an industry is transforming all the time and, in recent years, it has changed considerably due to evolving market demands. 2020 in particular was a challenging year, as many businesses were forced to adapt their web and application development processes to meet changing market needs and user experience requirements.

The role of the developer is also evolving. Think back 10 to 15 years when developers would write everything on their own. Today it’s very rare for developers to write all code from scratch. They tend to take tools and resources from different places, such as AWS Cloud, to create software more efficiently in this new era of modern application development.

One way of summarizing this is by using Lego bricks as a proxy. Modern application development, when broken down, isn’t too dissimilar to using toy blocks to build a bridge. For example, to build a secure bridge, it is not sufficient to focus on each brick individually to determine if the bridge is strong enough. The builder must understand the bigger picture or the ‘architecture.’

By moving away from writing their own code, developers have to combine different elements with architecture, which includes looking at the full infrastructure to see just how stable the design really is. What we are talking about here is the basis of modern application development.

With coding, as with building blocks, developers need to have a view of the bigger picture. Developers now want to build flexible applications by simply snapping components together – this is a positive shift and has allowed developers the ability to focus on what matters the most, business logic.  At the same time, however, this does raise concerns around security, especially when it comes to the links between the components.

Developers are constantly introduced to new and complex security challenges. An application breach can be devastating not only to the end-user but to the entire organization as well. As the ‘snap-on’ model of modern application development continues to gain popularity, what are the security risks that organizations need to consider when ‘legolizing’ modern application development?

Securing the bricks and architecture

Maty Siman, Checkmarx founder, and CTO

When building a metaphorical Lego bridge in the application security world, developers need to look at where components are linked and the ways that they work together to ensure the security of the applications they’re building. Modern application security is focused on two steps: making sure the bricks are secure, then making sure the architecture is secure. Without doing this we’re opening up the apps we’re developing to attackers.

We have seen a proliferation of supply chain attacks in the last year, including large-scale, high-profile attacks, such as Kaseya and Colonial Pipeline, targeting major firms along various supply chains. Closer to home, in March of last year, 580,000 Singapore Airlines’ frequent flyer members were compromised in a supply chain attack, and later in November, the Cyber Security Advisory Panel of the Monetary Authority of Singapore (MAS) called for strengthening security against cyber attacks on IT supply chains.

Hackers have realized it’s easier to attack one component rather than the whole stack. It might seem obvious, but if we apply this back to our bridge, it’s easier to attack a crack in the bridge, rather than the whole bridge itself, and the same applies to applications. For example, rather than attacking an organization head-on, hackers are finding a vulnerable component to attack instead.

Addressing the ‘legolized’ attack trend

Traditionally, developers have seen security as the problem of an organization’s IT team. But, in recent years, there has been a mindset change and developers are realizing that the security issue also lies with them. In order to help developers prevent a ‘legolized’ attack, organizations need to encourage them to take a more holistic, unified, and effective approach to managing risk.

Developers need access to the right tools to look at the overall architecture of how the code they use fits together. There is now a real need to be able to scan all the bricks and the links and to have different engines correlating with each other.

Developers can’t be expected to know the tricks to beating criminals as they move too quickly. However, they do need to be able to automate detection and mitigate security risks. To help them with this, they need to use a supply chain engine that can track all components and infrastructure, but also one that won’t affect or slow down their work.

Training developers as a form of defense

Everyone agrees that training is important, but until recently, no effective solutions have been presented. And therein lay an issue: Developers are eager for knowledge on writing secure-by-design code, yet traditionally lacked the necessary tool or solution to execute it. This knowledge gap left them unable to deliver the safest products for organizations, resulting in risks that are entirely preventable.

Businesses need to put measures in place to ensure developers receive the appropriate application security training – but not traditional compliance sessions. Organizations should, instead, prioritize a bitesize, interactive training style that enthuses and is tailored to developers who are reshaping software development.

The software development landscape has changed and it will continue to do so as digital transformation and innovative technology solutions continue to evolve. The message for businesses wanting to ensure their developers are empowered to create secure applications is that modern application security has to evolve in tandem.


The views in this article is that of the author and may not necessarily represent the views of Tech Wire Asia.