Every year in October, Cybersecurity Awareness Month is an opportunity to remind professionals and home users alike of the peril of current cyber-threats and discuss basic steps we can all take in our personal and professional lives to better protect ourselves. Too often, software developers are left out of this conversation and we miss an opportunity to acknowledge the key role they can play in fighting cyberattacks.
Every day, tens of millions of software developers create the code the digital economy relies on. This code powers connected devices from kitchen appliances to modern data centers and interacts with billions of connected users. This code is a prime target for attackers trying to steal information or disrupt organizations. What started as a simple coding mistake (or “bug”) from a developer may very well turn into the first step of a sophisticated cyberattack. So-called software vulnerabilities enable attackers to bypass the security controls of the device on which the software runs until the vulnerability has been patched. In 2016 alone, more than ten thousands vulnerabilities impacting all kind of software, devices and applications were reported.
A one-sided approach to fighting vulnerabilities focused on patching and testing will not be sufficient given the scale at which software is being used in connected devices. Developers and organizations for which they develop software also have a key role to play in reducing software vulnerabilities by building more secure code.
It starts with training and awareness. A fundamental truth about software is that it will always have bugs, a subset of which are vulnerabilities. Software vulnerabilities are not someone else’s problem. Organization developing software have to commit to a holistic secure software development process and developers have to acquire the knowledge needed to design and create secure code.
This is not wishful thinking. Hundreds of organizations are already implementing a rigorous secure software development process and millions of developers have been trained on software security techniques. We know what it takes. Non-profit organizations such as SAFECode that was founded ten years ago by major technology companies, including Dell EMC, are making available free on-line training and technical guidance to help developers and organizations successfully develop secure software.
These resources help modern-day software professionals acquire the critical security skills that are rarely taught in software engineering classes:
- Mastering the techniques for secure design,
- Knowing how to avoid common coding mistakes, or
- Ensuring that fundamental practices for secure software development are included throughout the development lifecycle.
Thankfully, we are all part of the learning economy. Please join me this Cybersecurity Awareness Month in including software professionals in your Cybersecurity conversation. Make them aware of resources available and the key role they play in strengthening the security resiliency of the digital economy.