How to Teach Developers to Create Secure Apps

David Balaban
Nov 15 · 6 min read

Developers pay great attention to the design of software products, trying to make them as convenient as possible. But what about the security of the data that users entrust to the manufacturers of these applications? How can one learn and teach to create secure applications? I would like to share my experience in tutoring developers and propose a system that allows you to train in finding and fixing vulnerabilities.

The importance of secure development

If an inexperienced developer writes a code, such a developer will bump into bugs and vulnerabilities sooner or later. And then an evil security man comes in and asks to eliminate those vulnerabilities.

The main idea of learning secure development is that someone will find a vulnerability anyway, and the code will eventually have to be rewritten. To avoid this, developers need to be taught how to write good code right away.

Meet John

John is a new employee. Now he is good at tree rotation, but so far, he does not understand the difference between CSRF and XSS and does not know anything about other vulnerabilities. How can you help John better understand information security?

I would like to offer a model with five levels of information assimilation. Here they are – understanding, recognition, reproduction, usage, and creation. Let us walk John through all these steps. At the end of the journey, he will learn how to build secure apps independently.

Level 1. Understanding

At this stage, John does not yet have any security skills and knowledge, but he is already figuring out that he needs them. At the same time, he receives a welcome letter from the information security department, which informs that from now on, he will live in the safe world of ACME Inc. (your company name.) John is invited to take a series of courses on secure application development; special assignments are created for this activity. If something has not been passed, reminders will come every week.

Level 2. Recognition

At this stage, John begins to gain theoretical knowledge about what security is, who these guys from the information security service are, and what they do. Here, paper posters may help. They remind employees that security exists (even if they do not see it, it still exists). Besides, these posters are a kind of PR for the in-house information security department.

Many employees are working remotely now and rarely visit the office. So, posters at coffee points are no longer as effective as they used to be. Today, it is better to inform colleagues using the internal information security blog published about interesting vulnerabilities, cyber threats that may affect your products, and other valuable materials.

Let us go and chat

It is helpful to conduct training where you create a lively discussion between developers and security professionals. These training sessions should not focus on abstract vulnerabilities but review those information security issues that are of direct concern to your teams.

Working together, you can figure out why certain problems arise, how attackers can exploit a specific vulnerability, and what damage this can cause to a company. And of course, at these meetings, IT security professionals help the teams to eliminate these problems.

Training is a valuable tool, but unfortunately, not scalable. Most likely, your security team consists of 2 – 3 – 5 people, while there are a lot of services and development teams in the company.

Besides, new developers get hired all the time. To cover everyone, it is desirable to create manuals and guidelines on developing secure applications for all the parties involved, including testers, system administrators, managers, and other specialists. Text articles supplemented by slides and videos work the best.

Your developers do not have to reinvent the wheel. They can reuse ready-made and verified solutions. Guidelines should not always be built on vulnerabilities but focus on best development practices instead. It is good to have security guidelines for the web, Android, iOS, compiled applications, and smart devices.

Go beyond

Do not be limited to posters, an information security blog, training, and guides. Consider the secure application development practical exercises John needs to do.

Some companies create a general course for a developer that will suit everyone. In practice, it is better to create several individual courses: for Android developers, for iOS app developers, for those who develop applications using Python, C++ (or other languages you use.) It is good to have a separate course for the cloud and web developers based on OWASP Top 10 and those vulnerabilities that you most often come across in products.

Again, to visualize materials, it would be good to invite artists who draw pictures, comics, cartoons, and videos.

Level 3. Reproduction

At this level, John can apply theoretical knowledge and address typical security issues. Special solutions are available that enable employees to find and fix vulnerabilities. There are many such systems on the market, including open-source tools.

If you decide to develop your own system, your solution needs to satisfy the following requirements:

1. Training in finding and fixing vulnerabilities.

2. Automatic solution/answer checker.

3. Adding custom tasks.

How to create assignments that are relevant to the technologies used in the company?

There are several stages here. Let us take a look at them.

1. Prepare a code with vulnerabilities. A common buggy code is to be found first. Ideas for assignments are not invented on purpose; just take the tickets created, the items being audited. Out of that, take patterns that may be of interest to most employees, and codes with vulnerabilities are to be developed on their basis.

2. Create functional tests.

3. Create security tests. It is necessary to check if the vulnerability is really fixed correctly. There is an interesting nuance here. For most vulnerabilities, it is not difficult to write such tests, especially if you want to allow the developer to fix the error in unusual ways.

4. Validate acceptable solutions. At this stage, it is better to complete the test tasks yourself and validate the performance of the test.

5. Prepare a Docker image in which to run tests.

6. Write the theoretical part and description of the task.

It is good to have a module that shows the progress in completing the test tasks. Based on this data, the best employees can be rewarded with virtual medals. When John solves all the tasks correctly, he will receive an award so that all colleagues know what a great guy he is.

Level 4. Usage

Having trained in such a system, John can take part in a CTF.

Level 5. Creation

At this stage, John moves to creation as he will use the acquired skills and knowledge to write reliable code and develop secure services.

So how do you get started?

There is another way to get the developers to create a secure code and this is by leveraging security tools as part of the software development process.Imagine a tool that can provide real-time feedback to the developer every time he commits his code to the company’s source code management system and alert on any risks, vulnerabilities, or misconfiguration.That way the developer can review and fix the issue immediately and resubmit it, uploading a new more secure, and better quality code. this way we are tackling issues early on and solving them in the Dev time without compromising development speed. Another benefit of this process is that it will let each developer fix his own mistake and create a personal training program for him enforced by the tool.

Argon’s software supply chain security solution enables you to do just that. As part of this platform, customers are able to set up an Integrity Gate that will scan every file or code committed to the source code management system, and report back to the developer on issues with this commit through a comment on the pull reuest enabling him to fix it and resubmit. Improving code quality and security is only one feature of the solution that enable you to protect your software supply chain infrastructure and process against misconfiguration, vulnerabilities, and prevent supply chain attacks.

What tools and approaches do you use to write a safe code and test your applications? Please share your opinion in the comments.

David Balaban
Nov 15 · 6 min read

Related Articles

Yarn vs. NPM: Which Package Manager You Should Choose, and Why?

npm and Yarn are two package managers developers swear by. Both these package managers are at the top in this…

Eylam Milner
Dec 08 · 6 min read

How to perform software composition analysis?

Application security is paramount in the era of massive, distributed, cloud-native workloads. Attackers can exploit a minor vulnerability and leverage…

Eilon Elhadad
Nov 30 · 8 min read

Top 11 Most Common Web Application Cyber Attacks

In a sea of SaaS applications, customers and cybercriminals alike are spoilt for choice. So, when certain web applications are…

Eilon Elhadad
Nov 22 · 9 min read

End-to-End CI/CD Security Platform

open source vulnerability scanner
Our next, exciting chapter. Argon is now an Aqua company
Our next, exciting chapter. Argon is now an Aqua company