15 January 2018
As 2018 gets under way, now is the perfect time to revisit the OWASP 2017 conference – and apply the best-practice guidelines discussed at the conference. Here are three key areas developers need to consider this year.
An increased focus on mobile and embedded systems
There have been two significant technology trends in recent years. First, mobile computing is (arguably) of greater importance than traditional desktop-based systems. Second, smart sensors are being deployed everywhere to create intelligent “Internet of Things” networks.
As a result, both mobile and embedded systems are attracting increased attention from cybercriminals. Which means that developers need to raise their game in order to protect users.
Embedded software is coming under increased scrutiny, particularly as well-known exploits like buffer overflow and SQL injection techniques are frequently missed.
OWASP has also introduced a new Mobile Application Security Verification Standard (MASVS) against which mobile app developers can benchmark. The framework acts like a checklist, reducing the risk of exploitable errors and bugs creeping into mobile software.
Making security testing and hardening a “game”
The modern IT environment is a complex blend of hardware, software and services, providing a multitude of attack surfaces for hackers. But each and every one needs to probed and tested to identify vulnerabilities.
The OWASP 2017 conference suggested introducing gamification into the security testing process to assess skills and safeguards in a real-time, real-world setting. With employees trained in cyber attack simulation, analysts and developers are able to pinpoint problems and develop fixes before systems are compromised by genuinely malicious third parties.
Using gamification, developers and testers are able to inject competitiveness into the process. Feeding this competition inspires attackers and defenders to try their hardest, delivering meaningful benefits from the process. These gamified scenarios also offer a useful opportunity to put security and threat models to the test, revealing shortcomings in the planning process too.
DefectDojo – new tool for testing
OWASP 2017 also marked the first appearance of DefectDojo, a new Open Source toolkit for pre- and post-development software testing. Approved by OWASP, DefectDojo claims to “streamline the testing process by offering features such as templating, report generation, metrics, and baseline self-service tools.”
The toolkit is not restricted to mobile and embedded systems either. Any code be assessed allowing your team to accurately gauge the effectiveness of their securely coded applications. DefectDojo also highlights the SD3 – secure by design, default and deployment – principles that form the basis for developing robust ASP.NET and Java applications.
DefectDojo (and similar automated testing tools) will never fully replace disciplines like code reviews, but when used as part of a security-first application development strategy, they will help to deliver software engineering excellence.
Security – a non-negotiable aspect of application development
As you would expect from an organisation that champions security, OWASP has made a number of important demands of developers as we move into 2018. Cyber security is an essential aspect of modern application development, and programmers will be at the forefront of improving safeguards as regulations like PCI DSS and GDPR are applied.
It is absolutely essential then that developers are fully trained and upskilled in secure application development – otherwise businesses place themselves in great danger of costly, embarrassing cyberattacks. Attacks that could be avoided through better programming and cybersecurity planning and testing. In most cases, compliance frameworks require developers to maintain and improve their application security (AppSec) skills to stay ahead of developing threats and exploits – so they will need regular training.
“A highly-skilled workforce is the first line of defence against modern IT security risks,” says JBI’s Cyber Security lead Geoff Hill, “Training and re-training staff in cyber security techniques and technologies is crucial to keeping your business safe – and to meeting your compliance obligations now, and into the future.”
To learn more about these skills, our OWASP training course and how JB International can help, please get in touch.