Following the release of the Biden Administration’s Executive Order on Improving the Nation’s Cybersecurity, the NetWitness team sat down with Pieter Danhieux, CEO of Secure Code Warrior, about the impact this order will have on the developer community and the software industry.
NetWitness: Pieter, what did you find most encouraging about the Executive Order on cybersecurity?
Pieter: It has been very refreshing to see the US government taking cybersecurity seriously. The first indicator of that was Biden’s announcement of cybersecurity initiatives – backed by a $10B budget allocation – back in January. With the recent Executive Order (EO), they are going a step further in safeguarding government departments and infrastructure by legislating more controls around how software is developed from a security perspective.
For me, it is encouraging to see that, perhaps for the first time, a world governing body is looking at developers as a source of cyber defense. This new order, among other things, specifically calls out the need for developers to have verified security skills and adherence to stringent best practices. We have known for a long time that developers need more comprehensive training and tools to become that defensive front line, and it’s good to see the sentiment forming in legislation.
NetWitness: We know that effective security is about more than technology. It takes the efforts of people to recognize and take steps to combat threats from the development phase of products, all the way to how enterprises use those products. Can you talk more about how this order addresses this?
Pieter: There is currently a heavy reliance on security tooling at the organizational level, and while tools are a fundamental part of DevSecOps and indeed a solid security program, they are not a cure-all. No single tool finds all vulnerabilities in all languages, and they are often cumbersome and slow. We have to remember that it’s still humans who are building software that potentially powers critical infrastructure, and DevSecOps is all about getting humans on a pathway to security awareness, and a cultural change to what has been done before in terms of security responsibility.
The Executive Order does make reference to mandating scanning tools across the development process, but goes further to address a balance between tools and people. The cybersecurity skills gap is no longer an excuse for churning out poor quality software, and the EO indicates that those who are part of the development process must have verified security competencies if they want the government as a customer. Achieving this will mean that organizations must do more than they are doing now: “tick-the-box” security training that is too generic, infrequent, and irrelevant to have any impact must go, and investing in solutions that actually upskill a developer is a must. Why spend any time and money on bare minimum training? Save your money and do nothing, and it will be just as ineffective.
NetWitness: What do you think is a step that developers can take to make the tools and solutions they are building safer?
Pieter: The thing to remember is that developers didn’t sign up to become security experts, and nobody should expect them to fill that role. They want to build features, and that’s their core task. However, we produce higher volumes of code year on year, and software is eating the world. There is simply too much code to pass off to already stretched security teams, and developers have the power to ease that load by becoming security-aware and stopping common vulnerabilities from the start of the process. They should never be expected to fix complex problems, but the ones resulting from poor coding patterns can definitely be addressed when they have the skills to do so.
Developers often have poor experiences with security, and they need to be won over. Contextual learning with bite-sized chunks of training in their development environments helps to create muscle memory for secure coding patterns, and build upon existing knowledge. If they have to switch in and out of screens and programs to find answers or learn basics, it will likely be pushed to the backburner. It’s important to keep any learning engaging, relevant, and frequent, with as little disturbance to their workflow as possible. Any tools should be selected with the developer in mind, with an understanding of how they will be received and implemented into their environment. Don’t just throw anything at them – it’s a great way to perpetuate bad security experiences.
NetWitness: Do you feel that emphasizing how the U.S. Federal Government uses software will help improve the security of supply chains?
Pieter: Yes, absolutely, and securing the supply chain is a super important part of the EO. This is a great opportunity for every company to analyze their own supply chains, and evaluate the security standards of their vendors.
When there is a lack of transparency from third-party vendors (not to mention developers making use of third-party components) over their security measures, it makes it incredibly difficult to confirm that cybersecurity best practices are being fulfilled. We must analyze the suppliers we use and the software they write. These actions may be seen as the “extra mile”, but they should be inherent to a gold standard of cybersecurity best practices.
NetWitness: What role do you see automation playing as the software industry marches ahead under this new order?
Pieter: Automation is a highlight in the EO, especially in the context of security monitoring and zero-trust measures. Through sheer volume of code, intelligent automation is vital, and it does do a lot of the grunt work in maintaining safe endpoints and continuous scanning for threats.
My only reservation would be if there was a misconception that cybersecurity defense can be left on autopilot… history would attest that this is not a good strategy.
NetWitness: How do you see Secure Code Warrior’s solutions supporting the development community now that this order has been made.
Pieter: Everything we do here is built with the developer in mind, because we know what it’s like to be sitting on that side of the table. We have long championed them as the key to cyber defense, and shouted from the rooftops that their training and assessments must be far more engaging and relevant to their day jobs to be effective. It’s time to build their skills, and measure and certify security-aware developers.
To this day, no formal developer-targeted secure coding certification exists. Our learning platform, however, can train, assess, and certify developers as having the knowledge they need to code securely in the context of their work. We offer curated courses that can help achieve specific compliance goals, and we have a range of tools that integrate with popular development environments like Jira and GitHub. We have many resources that are free, as well, and ready for anyone to try now.
We’ve also used our deep in-house expertise to officially submit positioning papers to NIST, with the goal of assisting them in refining their strategies and guidelines with a more direct human element, and more specifics around the tools and training that work to solve a human problem.
NetWitness: Thank you so much, Pieter! It was a pleasure speaking with you about this issue.
Pieter: Thank you, it was great to chat with you.
# # #
Join Matias Madou, CTO of Secure Code Warrior, and RSA’s CTO Ben Smith as they discuss the importance of empowering developers to start left, not just shift left. Through this interactive session, they will touch on the importance of building a positive security environment that can be used in a dev team’s everyday practice. Register here.