I recently joined Veracode after spending five years managing application security at a global investment bank. I’m sharing a bit about my background and reasons for joining Veracode in the hope that my experience helps others trying to work security into software development.
My career as a developer began in South Africa, where I learned cryptography and embedded firmware developing mission-critical communications systems. These were systems that people use in “life or death” situations, and this gave me a huge appreciation for the importance of building rugged and dependable systems. If my software was vulnerable, someone could lose their life! Later in my career, I developed embedded medical electronic equipment used in first-line triage of patients in emergency situations. Again, people’s lives were depending on my software.
In the last four years of my career, I have spearheaded a major application security programme at one of the world’s largest banks, helping to secure their applications that run the very core of our modern financial markets, and which are under almost constant threat from an increasingly hostile environment.
I have long since recognised that software is foundational to our world, and that as a software developer, I have an awesome responsibility to ensure that my software is not vulnerable and meets its intended purpose.
One of the major challenges I had in my role running a large application security programme was understanding the very real challenges faced by modern application developers. In many cases, the developers did not have the same background as me in developing robust systems and didn’t fully appreciate that their software could be attacked by very sophisticated attackers with vast resources and skill. Perhaps they couldn’t anticipate the longevity of their applications, or how their applications would be deployed and used. In many cases, the developers I was working with had a poor understanding of the tenets of secure or robust software and were under too much pressure to deliver new product and features.
My firm conclusion at this time was that no matter how much pressure was brought to bear on developers, they simply could not address their security technical debt alone. As security professionals, it is incumbent on us to deliver better technology, tools and training to ensure that our growing legions of developers are adequately equipped to write the secure software we need to run our world.
Modern software development practices ensure that all software is tested functionally, and I have the view that no software should be developed without being thoroughly tested for security. I have joined Veracode to help shape the product roadmap and to help deliver the tools that developers can use as part of their daily development process without even being aware that they are there. Modern software practices are rapidly evolving, and it is my role at Veracode to ensure that we deliver innovative security tooling that can meet the demands of the latest development methodologies, such as the rapid evolution of DevOps, which presents some very unique challenges to security professionals.
However, my experience has taught me that the technology is only one part of the problem of securing software – the most significant problem is one of people. How do you engage with your developers to encourage them to change the way they behave, or indeed to accept that their software is perhaps not fit for purpose and requires remediation? And how do you tackle this problem at a large scale? In my experience talking to other customers, it is apparent that a dilemma exists – something needs to be done, but where do we start? Five years ago, that was precisely the dilemma I was facing surrounded by a mountain of technical debt and a poorly equipped development community. It felt like an insurmountable problem, but five years later, the programme has produced a dramatic improvement in security across the bank.
My other role at Veracode is as an evangelist for application security and to act as an adviser based on my experience. If you’re a potential customer faced with the daunting prospect of starting a new programme, or perhaps an existing customer with a programme that is not delivering the results you’d like, I would be more than happy to meet with you to share my experiences, and to see what we can do together to help secure the software that runs our world.
Final thoughts come from The Rugged Manifesto: “I am rugged, not because it is easy, but because it is necessary and I am up for the challenge.”