Security software services provider Saltworks has teamed up with Secure Code Warrior to help developers learn to build secure software through secure code education and skills development.
Secure Code Warrior, based in Sydney, Australia, provides secure developer training services and coaching tools to help developers learn to address security early in the software development lifecycle. This process of "shifting left" to bake security into the app building process from the start is gaining traction in the DevOps world, as well as in application development overall.
"The general concept of 'shift left' refers to fixing issues earlier in the development process, which has been embraced by the majority of developers for some time," said Stephen Allor, head of partners at Secure Code Warrior. "The question this raises is, do the majority of developers define quality code as secure code? To this end, we are encouraged that more and more CISOs, CIOs, CTOs and developers are embracing this viewpoint, though unfortunately, this is still far from the majority."
Partners in secure coding
Saltworks, based in Kennesaw, Ga., has a reputation as an application security consultancy that helps its customers build application security programs. Secure Code Warrior provides developers with secure code enablement through its training.
While the two companies already have several common customers, the partnership enables Saltworks to enhance its value with a more comprehensive, continuous improvement and learning program powered by Secure Code Warrior. New customers will benefit from a prevention-minded approach from the start, tapping into the expertise of both organizations, together with their respective value-added partnerships.
"Development teams must make security an aspect of all software development projects from the time of requirements through pushing code into production," said Michael Morris, CEO of Topcoder, an Indianapolis company that provides freelance developer talent on demand. "One strategy is frequent peer code reviews that can catch vulnerabilities often and early. Companies committed to the highest software quality and standards should support security training for developers to help eliminate, or at the very least reduce, security risks."
Secure code is a priority for Topcoder development teams and plenty of measures are taken to make sure developers write secure code, such as access controls to limit privileges and restricted access to secure data throughout the software development lifecycle, said Thomas Kranitsas, a full-stack developer who freelances through Topcoder. Their teams also use credentials management, where repositories are integrated with apps to protect sensitive information. In addition, they implement strong input validation as well as error handling and logging standards to ensure the integrity of code.
"The concept of 'shift left' encourages a culture of quality in software development and progressive IT teams like to push 'shift left' testing even further toward the coding phase," Kiril Kartunov, a front-end developer and community member at Topcoder. "In order for developers to continue thinking in a 'shifting left' spirit, companies need to encourage it with ongoing training and incentive programs."
Baking security into coding
Meanwhile, "baking in security" means treating it like any other technical or business requirement integral to the software development lifecycle (SDLC). As companies move to more rapid delivery models like DevOps, anything that is not "baked in" gets left out or breaks the DevOps process, which increases time, cost and risk.
Moreover, if an organization isn't already integrating application security from the start, aside from being highly susceptible to vulnerabilities, the software can be lower quality overall, said Dennis Hurst, president and founder of Saltworks.
Stephen AllorHead of Partners, Secure Code Warrior
"It's easy and cheap to write an application that doesn't meet business requirements, performs poorly and is insecure," he said. "While writing high-quality applications requires a bit more of an investment in planning, training, development and testing, the results are worth it. The same principles apply to secure coding. Also, writing applications securely leads to far less rework down the road, so the true total cost of ownership is lower in almost every case."
However, shifting left or addressing security earlier in the SDLC may not be enough for some.
"We believe that a 'start left' approach is where the industry needs to get to," Allor said. "This is where developer upskilling translates into secure quality code written correctly the first time to prevent the overwhelming volume of issues that are currently being identified later in the SDLC."
Secure Code Warrior's approach is to engage developers in a personalized learning experience using the languages and frameworks they work in all day and challenge them in an interactive code-level learning experience.
"This learn-by-doing approach closely mirrors how most developers have learned what they know today -- on the job, through trial and error and in the code," Allor said. "When a developer spends a short time learning in our platform and starts to open tickets on themselves to reclaim mistakes they now know they have made, you know the approach is effective."
In related news, Saltworks will host its Saltworks Secure Coding Tournament on March 26, beginning at 9 a.m. EDT and running through March 27 at 11:59 p.m. EDT. Tournament participants will compete against other developers in a series of vulnerable code challenges where they must identify a problem, locate insecure code and fix a vulnerability.