Op-Ed: Bad practices are increasing security risks within software development projects

While CISA’s efforts can help organisations navigate the “need for speed” in a fast-moving DevOps environment, IT and security leaders must do their part to prepare their organisations for the needed changes.

Growing awareness of ‘Secure-by-Design’

Interestingly, a Secure by Design pledge initiated by CISA has already attracted the endorsement of almost 300 organisations. They vary from widely used developer platforms like GitHub to industry heavyweights such as Google.

Similar initiatives have been launched in other countries, including Australia, reflecting the reality that secure software needs to be a global effort. However, there is a long way to go when you consider the thousands of organisations that produce software.

As the name suggests, Secure-by-Design promotes shifting left in the software development life cycle (SDLC) to gain control over the proliferation of security vulnerabilities in deployed software. This is especially important as the pace of software development has been accelerated by the use of AI tools.

In addition to shifting left, the pledge addresses other security best practices, such as using MFA, eliminating default passwords, quickly applying security patches, and eliminating entire classes of vulnerabilities. The pledge asks signees to demonstrate progress towards each of its seven goals within a year.

VIEW ALL

Avoiding memory-unsafe languages

The recent guidance on eliminating bad practices also suggests some relatively new advice, such as avoiding the use of memory-unsafe languages. These languages allow operations that can corrupt memory and lead to vulnerabilities such as buffer overflows and memory leaks.

CISA admonishes developers for using languages such as C and C++ despite the availability of memory-safe languages such as C#, Rust, Go, Java, Swift, Python, and JavaScript. Memory-unsafe languages, which include assembly language, are also common in open-source code.

While CISA recognises that organisations can’t simply transition their projects to memory-safe languages overnight, it does set a deadline of 1 January 2026, for them to publish a memory safety roadmap.

This roadmap should outline a plan to eliminate memory safety vulnerabilities in priority components, such as network-facing code or code-handling sensitive functions, such as cryptography. Eliminating memory-unsafe languages can help in removing those classes of vulnerabilities.

As with other poor security practices, failing to correct the problem “significantly elevates risk to national security, national economic security, and national public health and safety”, CISA said.

Secure coding is at the heart of a strong secure culture

Organisations can undertake a range of initiatives to push their adoption of Secure-by-Design practices and put themselves on the path to a safer, more secure environment.

Improving the skill sets of developers is a critical first step. Software engineers traditionally get little or no cyber security experience at higher educational institutions. They typically develop software (at an increasingly rapid pace), and then security teams are forced to play catch-up.

Regular learning pathways are beneficial in that they provide developers with the ability to write secure code at the start of the SDLC and assess the code generated by AI or acquired from open-source repositories and other third parties.

Upskilling programs should also be continuous, involve flexible, hands-on labs that address real-world scenarios, and instil a security mindset. They should expand developer skills in several ways, from utilising safe coding patterns to teaching a threat modelling process in which developers adopt an attacker’s role and simulate attacks.

Beyond training

However, providing training isn’t quite enough. Organisations need to be sure that the security program provides the necessary skills that truly connect with developers and actively manages developer risk. Data-driven skills verification can give organisations visibility into proficiency programs, helping to establish baselines for security skills while measuring the progress of individual developers and the organisation as a whole.

Measuring performance in specific areas, such as within programming languages or specific vulnerability management, paves the way to achieving holistic Secure-by-Design goals, in addition to the safety gains that would be realised from phasing out memory-unsafe languages.

Developer upskilling is a critical part of creating an enterprise-wide security culture that extends from entry-level workers all the way up to the C-Suite. This cultural shift is essential for improving software quality and requires a comprehensive approach.

A fundamental shift towards a security-first mindset is gathering pace across the software industry, as organisations confront the persistent shortcomings in code quality that Secure-by-Design principles aim to resolve.

This new approach encompasses a range of measures: the implementation of enterprise-wide security protocols, the widespread adoption of multifactor authentication, targeted upskilling programs to equip developers with secure coding practices, and even a transition towards exclusive use of memory-safe programming languages.

Together, these initiatives are seen as critical steps in addressing the entrenched vulnerabilities that continue to plague modern software.