/aug 1, 2018

The Art of Secure Code

By Suzanne Ciccone

We think a high-quality and highly secure app is a work of art. As with any artistic endeavor, it takes creativity, resources, training, and talent to create secure code. Maybe it’s a little bit of stretch to compare your software developers to Picasso, but we would argue that there are a lot of similarities between creating a great piece of secure code and a great piece of art. For example, both require:


Just about every famous artist you can think of studied art at some point. For example, Georgia O'Keeffe studied art at the School of the Art Institute of Chicago, the Art Students League in New York City, and the University of Virginia. Matisse studied art at the Académie Julian. Your developers need training as well to create secure code. But they probably didn’t get it. A recent Veracode/Devops.com survey found that 68 percent of developers and IT pros say their organizations don’t provide them adequate training in application security. 76 percent of survey respondents who attended college reported that they weren’t required to complete any security courses while in school.

But we also have clear evidence that closing this developer knowledge gap has a big security pay-off. When we looked at our customers that provide their development teams with eLearning on secure coding, their developer fix rates improved by 19 percent. Those who use remediation coaching to guide their developers in managing flaws found improve fix rates by a whopping 88 percent.

A muse

Piccaso had Dora Maar; Andie Warhol had Edie Sedgewick, and your developers need security inspiration and motivation as well. The “muse” your developers need to create secure code is a security champion. These champions, who are developers with an interest in security, help to reduce culture conflict between development and security by amplifying the security message on a peer-to-peer level. They don’t need to be experts, more like the “security consciousness” of the group.

The right tools

Artists need the right paints, canvases, brushes – developers need the right security testing tools. And in a DevOps environment, the “right” security tools are those that are integrated and automated. With the speed of DevOps, security testing that slows developer workflows or forces them to switch tools will be worked around or ignored. In a DevOps world, security needs to be automated and integrated into developers’ existing tools and processes.

The “Art of Secure Code” comes to life at Black Hat 2018

We’re taking this whole art metaphor one step further at Black Hat this year! By combining art and code in a unique way, we’re bringing our “art of secure code” theme to life. You don’t want to miss what will be going on at Booth 852 – from virtual reality to live illustrations, it’s a one-of-kind experience. Plus, you could walk away with one of our unique Black Hat art pieces designed right on site by our artist. In addition, we’ll be showcasing our latest “masterpieces,” including our newly revamped Dynamic Analysis, Software Composition Analysis, and Veracode Static Analysis IDE Scan.

Creating secure code is an art, and we can help you create museum-worthy secure code; find out more about our presence at Black Hat.

Related Posts

By Suzanne Ciccone

Suzanne is part of the content team at Veracode, working to create resources that shed light on AppSec problems and solutions.