Feature Story

In an app-fueled world, embed security at the source

by Kevin Delaney

A DevSecOps startup's mission: spread security awareness to developers everywhere

 

 

To drive home the critical importance of DevSecOps for today’s businesses, Pieter Danhieux goes back in time — way back. 

“If you think about when we humans built our first bridges or our first houses 2,000 years ago,” he explained, “I’m pretty sure those houses weren’t really constructed with safety and security in mind. It was just functional stuff.”

So, too, with coding, software, and apps. Danhieux, CEO of the Australian DevSecOps startup Secure Code Warrior, has seen the same security flaws cropping up for decades. Most are baked in at the developer stage — not unlike a bridge or house that’s designed with a dangerous structural problem. 

“It took us about 2,000 years of engineering knowledge to make these bridges and houses as safe as they are today,” he added. “And if you look at software engineering, it’s a profession which is, what, 50, 60 years old, maximum, and that means we haven’t really thought about safety or security much.”

It's a problem that the COVID-19 pandemic has only heightened. As organizations are forced to make fast changes on the fly — enabling a much higher volume of remote workers, for example — they depend on apps constantly. 

Hackers, meanwhile, are exploiting vulnerabilities that can be embedded in coding at the most fundamental levels. 

To counter such challenges, Danhieux is working to get everyone thinking about security, from the earliest stages of coding and app development through to operations and upgrades. And with investments from the likes of and Goldman Sachs and Cisco Investments, Secure Code Warrior is taking a leading role in closing some of the costliest security gaps facing organizations today. 

 

As apps accelerate, security gaps widen

Apps, after all, are central to today’s businesses. And reimagining apps is a constant process. In fast-paced, disruptive environments, they need to be developed rapidly and changed constantly, which is where DevOps has excelled in recent years. But as Danhieux stressed, “security needs to be built in from the start. You can’t bolt it on at the end.”   

That’s easier said than done, however, as security awareness among developers is often low and the ability of time- and resource-strapped security teams to catch vulnerabilities at later stages is limited. Secure Code Warrior’s platform addresses the issue on multiple levels, including training, automated testing, and culture change — but keeps it simple and fast at every stage. 

Danhieux’s extensive experience with penetration testing — that is, breaking into systems to identify vulnerabilities — spurred him to co-found Secure Code Warrior. Often, he discovered, the same coding mistakes cropped up over and over. And it only got worse as the pace of business increased and technology grew more complicated. 

“Today, the releases are quick,” he said. “There’s new technologies. There’s cloud. There’s also the continuous, evolving programming languages. Looking back 20 years ago, everybody was probably just programming on C and Java, but, now, there are literally 50, 60 different programming languages and frameworks, and there’s a lot of open-source software that people are reusing and not really reading or checking. All of that has led to a really complex landscape.”

Adding to the problem is an explosion of new Internet of Things devices — many of which employ outmoded coding — and a lack of security talent to test it all. 

“I think that one of the challenges we run into is that there is often only one security person for 300 to 500 developers,” he said. “The whole move to DevOps and Agile and rapid releases has completely screwed up that model because one person doesn’t have the bandwidth to test every single new feature built by those developers.” 
 

 

Taking security to the source: heightened awareness for developers

By going to the source, it’s possible to nip many potential problems in the bud, thereby avoiding more complicated fixes — or worse, breaches — at the operational stage. But that means introducing new concepts to developers who are already pressed to deliver at an ever-increasing pace. 

One key element is fun

“Step one is making sure that people are aware about the problem, that they understand that security is part of their job,” Danhieux said. “So we’ve built a gamified online environment where we get security people and developers together. They can basically have a competition that makes them aware that security is part of the whole software development lifecycle.” 

From there, he added, more than 3,500 training modules span nearly every coding language. “Whether you are a C++ developer or a COBOL developer or you’re doing Java or Go, or one of those newer languages, we show you how security works in that specific framework.”

In operational stages, testing is automated, vastly increasing the pace at which apps can be examined for vulnerabilities. For any organization, the savings in time, resources, and risk can be enormous — even without a major breach. 

“The real savings,” Danhieux explained, “come from not going through that continuous feedback loop of writing software, identifying security vulnerabilities, then going back to the developer, fixing them, and going through that whole cycle again. That slows down software development.” 

Danhieux sees Cisco’s investment in Secure Code Warriors as a win for both companies. 

“We are a startup out of Australia” he said, “and before our latest investment round, we were viewed as a strange company somewhere in Australia that was making a little bit of noise. But people are taking us seriously, so that’s definitely a big positive for us.”

Given Cisco’s deeper involvement with software and apps in recent years, it, too, stands to benefit greatly from the partnership with Secure Code Warrior.  

“Cisco is continuously evolving and changing,” said Danhieux, “and paying more attention to applications that are running in production. AppDynamics was one of the acquisitions that's demonstrating that Cisco is moving in that direction. In the DevSecOps space, we’ll be able to help Cisco in giving developers a positive experience around security.”

The pandemic has challenged society and business in profound ways. But the potential for technology to change the world in great ways still stands. All that will come to naught, however, if security isn’t pervasive. In that sense, Danhieux sees his team as part of a larger purpose. 

“There’s roughly 23 million developers on the planet today,” Danhieux concluded, “and it’s growing every single year. Most companies are turning into software companies. So we do see ourselves on a mission to reach every single developer. If every developer on the planet understands the concept, then I’ll feel that my mission is completed.”

###

We welcome the re-use, republication, and distribution of "The Network" content. Please credit us with the following information: Used with the permission of http://thenetwork.cisco.com/.