{"id":92095,"date":"2023-05-26T04:46:00","date_gmt":"2023-05-26T04:46:00","guid":{"rendered":"https:\/\/cloudnewshub.com\/?p=92095"},"modified":"2023-05-26T04:46:00","modified_gmt":"2023-05-26T04:46:00","slug":"security-think-tank-why-secure-coding-is-neither","status":"publish","type":"post","link":"https:\/\/cloudnewshub.com\/?p=92095","title":{"rendered":"Security Think Tank: Why \u201csecure coding\u201d is neither"},"content":{"rendered":"<div><img decoding=\"async\" src=\"http:\/\/cloudnewshub.com\/wp-content\/uploads\/2023\/05\/security-think-tank-why-secure-coding-is-neither.jpg\" class=\"ff-og-image-inserted\"><\/div>\n<p>There\u2019s a little bit of a trap sometimes that can arise in the way that humans understand and process language. Specifically, sometimes we take the meaning of a word or phrase for granted. By this, I mean we use a term meaning a given thing, only for those hearing us to understand the term in a completely different way.<\/p>\n<p>This is counterproductive when it happens in day-to-day communication, but can be dangerous in the context of risk-impacting disciplines such as cyber security, assurance, and governance. In these situations, it can create risk.<\/p>\n<p>I bring this up because often we hear about <a href=\"https:\/\/www.computerweekly.com\/opinion\/What-secure-coding-practices-mean-to-modern-cyber-security\">ways to ensure \u201csecure coding\u201d<\/a> in organisations that author and maintain software as part of their business, either for internal or external use. It\u2019s important because, frankly, most businesses fall into this category nowadays. While it\u2019s natural to discuss the challenges of software risk this way, I believe the term \u201csecure coding\u201d itself presupposes a context that makes the intended end state actually <i>harder<\/i> to achieve \u2013 at least when taken literally.<\/p>\n<p>And I don\u2019t mean this just in a semantic sense. For example, I\u2019d argue that understanding why that statement is true has actual, tangible, practical value. It speaks to the root cause of why many organisations struggle with application and software risk, and it highlights practical steps organisations can take to improve. With that in mind then, let\u2019s unpack what actual software risk reduction goals are, and how best to effect them as we fulfil our requirements to develop and publish software safely and resiliently.<\/p>\n<section class=\"section main-article-chapter\" data-menu-title=\"Software development security vs. risk reduction\">\n<h3 class=\"section-title\"><i class=\"icon\" data-icon=\"1\"><\/i>Software development security vs. risk reduction<\/h3>\n<p>The first thing to unpack is the intended end state of what we mean by \u201csecure coding.\u201d In my opinion, there are a few different, related goals usually intended by this term. First, by \u201csecurity\u201d in this context, folks typically mean two things:<\/p>\n<ol class=\"default-list\">\n<li>Employing application architecture and design patterns that foster risk reduction principals (e.g., confidentiality, integrity and availability)<\/li>\n<li>Creating software that is resilient to attack (e.g., via avenues like vulnerabilities and misconfigurations)&nbsp;<\/li>\n<\/ol>\n<p>Both of these things are, of course, incredibly important. Spend some time talking to application security practitioners and they\u2019ll, rightly, highlight to you <a href=\"https:\/\/en.wikipedia.org\/wiki\/Barry_Boehm\">Barry Boehm\u2019s<\/a> famous work about the economics of finding and fixing vulnerabilities early in the development process. They\u2019ll, rightly, explain to you the value of tools like <a href=\"https:\/\/shostack.org\/resources\/threat-modeling\">application threat modeling<\/a> that can be brought to bear to understand what and where security design issues are in software. The trap is that these things, important as they are, are not the entirety of what we might be interested in when it comes to reducing risk in software. For example, other things we might be interested in at least equally could include:<\/p>\n<ul class=\"default-list\">\n<li><b>Maturity <\/b>\u2013 ensuring processes are mature so that they are resilient to employee attrition and so that outcomes are consistent<\/li>\n<li><b>Transparency <\/b>\u2013 ensuring transparency in the supply chain of the components and libraries that our products in turn rely upon (and being able to provide that transparency to customers)<\/li>\n<li><b>Compliance <\/b>\u2013 ensure that we are compliant with the various (commercial and open source) licenses we use in developing our software<\/li>\n<li><b>Design simplicity <\/b>\u2013 does the design lend itself to being easily understood and evaluated<\/li>\n<\/ul>\n<p>And so on. In fact, these things are only the tip of the iceberg of considerations that can and do impact software risk as a practical matter. You could just as easily include things like: fitness for purpose, design rigor, supportability, testing coverage, code quality, time to market, and numerous other things that impact the risks associated with how we design, develop, test, deploy, maintain, support, and ultimately decommission our software.<\/p>\n<p>Through this lens, the question we should be asking isn\u2019t about \u201csecurity\u201d at all \u2013 but instead risk reduction (of which security is a subset, albeit a large and important one.)&nbsp; Tying software considerations just to security narrows the set of stakeholders, it narrows responsibility, and it changes the discussion. By contrast, keeping the focus on risk means everyone \u2013 even those far from the software development universe \u2013 have a vital role to play.<\/p>\n<\/section>\n<section class=\"section main-article-chapter\" data-menu-title=\"The software lifecycle\">\n<h3 class=\"section-title\"><i class=\"icon\" data-icon=\"1\"><\/i>The software lifecycle<\/h3>\n<p>The second thing I\u2019d call your attention to is the \u201ccoding\u201d element of the phrase. Yes, coding is important. But just like \u201csecurity,\u201d it\u2019s only a piece \u2013 though a large one \u2013 of the lifecycle involved in development of software. Consider how software is normally designed and how many different steps are involved. While individual software development lifecycles (SDLCs) might describe them differently, at a high level you might have steps \u2013 in the abstract anyway \u2013 similar to the following:<\/p>\n<ul class=\"default-list\">\n<li>Identification of need<\/li>\n<li>Ideation\/Inception<\/li>\n<li>Requirements gathering<\/li>\n<li>Design<\/li>\n<li>Development<\/li>\n<li>Testing<\/li>\n<li>Deployment<\/li>\n<li>Support<\/li>\n<li>Maintenance<\/li>\n<li>Decommissioning<\/li>\n<\/ul>\n<p>This is a lot of steps. And you\u2019ll notice that each of them could themselves be further broken down into myriad individual sub-steps. For example, a step like \u201ctesting\u201d can encompass (depending on SDLC in use, context, etc.): unit testing, functional testing, regression testing, performance testing, security testing, and any number of other individual items. How many of these involve just \u201ccoding\u201d vs. how many don\u2019t but are nevertheless critical to ensuring a robust product at the end?<\/p>\n<p>In other words, there are a legion of possible ways for stakeholders involved at any stage of this process to either introduce or mitigate risks depending on the processes they follow, their training, their awareness, and numerous other factors. This means that a risk-aware program designed to reduce, manage, and mitigate software risk needs to account for all of them and, wherever possible, bolster those actions that favor risk reduction outcomes. Point being, while coding is arguably the most \u201cvisible\u201d step along the software development and release process (at least internally), it\u2019s also not the only place where we should focus.&nbsp;<\/p>\n<p>As you\u2019d expect then, your application \u2013 or software depending on preferred parlance \u2013 risk &nbsp;management efforts should include the whole lifecycle. This by extension means two things: 1) that you understand and account for the whole lifecycle holistically, and 2) that you extend your planning to include areas outside development that nevertheless hold a stake. Include and deputize testing personnel, business analysts, project and product managers, support teams, sales, marketing, HR, and legal \u2013 bring them under the umbrella of caring about the security of what you build.&nbsp;<\/p>\n<p>As I said at the outset, this isn\u2019t just about the semantics (though granted I\u2019ve framed it that way to illustrate the point.) Instead, it\u2019s about understanding that risk is impacted by the entirety of the processes surrounding software development and that risk extends well beyond what we traditionally might tend to focus on when looking at things like vulnerabilities.&nbsp;<\/p>\n<p>Why is it not just semantics? Because it speaks to something bigger that\u2019s incredibly important. In <a href=\"https:\/\/en.wikipedia.org\/wiki\/Ends_and_Means\"><i>Ends and Means<\/i><\/a>, Aldous Huxley once famously said that, \u201c<i>The end cannot justify the means for the simple and obvious reason that the means employed determine the nature of the ends produced.<\/i>\u201d His point was that how we do something determines, in large degree, what the end state will be. Extending that to software development, I\u2019d argue that disorganised, immature, and \u201cslapdash\u201d development processes will inexorably produce software that is more shoddily designed and more poorly implemented than would otherwise be the case if a more robust and disciplined process were followed instead. This in turn means, we target goals beyond security and we embrace processes beyond writing code.<\/p>\n<\/section>\n","protected":false},"excerpt":{"rendered":"<p>There\u2019s a little bit of a trap sometimes that can arise in the way that humans understand and process language. Specifically, sometimes we take the meaning of a word or phrase for granted. By this, I mean we use a term meaning a given thing, only for those hearing us to understand the term in [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":92096,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[533],"tags":[],"class_list":["post-92095","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-it"],"_links":{"self":[{"href":"https:\/\/cloudnewshub.com\/index.php?rest_route=\/wp\/v2\/posts\/92095","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/cloudnewshub.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cloudnewshub.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/cloudnewshub.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/cloudnewshub.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=92095"}],"version-history":[{"count":0,"href":"https:\/\/cloudnewshub.com\/index.php?rest_route=\/wp\/v2\/posts\/92095\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cloudnewshub.com\/index.php?rest_route=\/wp\/v2\/media\/92096"}],"wp:attachment":[{"href":"https:\/\/cloudnewshub.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=92095"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cloudnewshub.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=92095"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cloudnewshub.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=92095"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}