Developers are not always security experts, so it is essential they have access to appropriate training, expertise and useable, up-to-date development tools, such as compilers, static code analysers and simulators.
An organisational culture that promotes and values developer contributions to security is another crucial factor in enabling ‘secure by design’ outcomes.
Examples of Defensive Measures
-
- Developers should only use supported tools and tool extensions. If this is not possible, the reasons why not should be understood and, where applicable, mitigations put in place to minimise any associated risks. Keeping tools up-to-date ensures that the developer has access to the latest functionality and also helps reduce the risk of compromise.
-
- Tool choice should be based on a balanced consideration of usability and functionality. This increases the likelihood of successful tool adoption whilst decreasing the possibility of incorrect usage. Ideally, the configuration settings employed by the developer should be the most secure possible. This reduces the risk of residual product defects. Both contribute towards timely product delivery.
-
- An appropriate, up-to-date coding standard should be followed for every implementation language used. This will ensure that all of the code has a consistent ‘look and feel’, which can aid readability and future maintainability. More importantly, coding standards also constrain the features of the language a developer can use to just that of a limited subset. This could be for reasons such as performance or perhaps to avoid potentially ambiguous syntax or common programming errors.
-
- Developers are often not security or usability experts, so training and access to the necessary skills and security expertise should be provided to them on an ongoing basis.
-
- Leadership should invest in the establishment of a positive security culture. There are often many competing requirements and priorities during product development – security should be given sufficient credibility and importance by seniors so that it is considered and included from the outset.
