by Shadma Shaikh

Ashok Sharma was speaking to a hall full of developers on a Saturday in Bengaluru. Majority of the crowd that had come to attend Open Source India - the event that ran 3 parallel tracks - had drifted in the hall that held a track on cyber-security.

"I have a word of advice for people who are aspiring to find good developer jobs," Sharma who is the cofounder of QOS Technology said. "While you mention to your interviewer that you can write a clean code, stress on the fact that you can write a secure code and your chances of getting hired will definitely increase."

Of course, you also need to back this claim by actually writing a secure code. Take up a training or two to learn how to stress on the security aspect of the code, he said.

The concept of developers taking the onus of writing secure codes was not just the mood at cybersecurity session in the conference. The industry has increasingly realized that in many cases a security incident could have been prevented if the underlying software was more secure.

"Security issues are nothing but bugs left by developers," says Kaiwan Billimoria, founder of Kaiwan Tech that provides Linux consulting and training. Kaiwan is of the opinion that developers tend to overlook security aspect while writing a code.

A report by the U.S. Department of Homeland Security (DHS) states that 90 percent of security incidents result from exploits against defects in software.

With the emphasis and dependence on software as the main focus of large enterprises, developers are under a lot of pressure to deliver faster and efficient code. This often results in security taking a back seat in priority.

Blame it on the fast-paced internet business! Most online businesses are running in a highly competitive market where early bird catches the first mover advantage. Buzzwords such as customer acquisition, customer loyalty, and a seamless customer experience take precedence in board meetings, often ignoring the security big time.

A classic case was the example of India's largest online wallet company that jumped the gun when the country went into cashless crisis post demonetization. The developers burned the midnight oil to release a version of the merchant app, which accepted payments using a phone as a point-of-sale without the need of a physical card reader. The company later had to retract the app feature after payment networks and public raised security concerns.

"Awareness of writing a secure code is something that needs to be built at the basic level," says Anish Cheriyan, director of quality at Huawei. "You don't necessarily have to think of security as an additional check. It needs to be intrinsic."

Anish who works with a lot of developers in the company shares the opinion that developers need to be given more time to deliver a piece of code while also be trained to write better codes.

"You can't first write a code and then decide to make it more secure," he says. "There's nothing like a special 'secure code', every code by default needs to secure."

While the situation looks bleak on the surface, companies have started taking note of the skill gap in developers and are introducing steps to change the landscape.

David Lenoe, Director of Secure Software Engineering at Adobe says the company employs a strict set of security activities spanning software development practices, processes, and tools. These security activities are integrated into multiple stages of the secure product lifecycle (SPLC).

"Our Adobe Secure Software Engineering Team (ASSET) developed a security certification program that is organized in a martial arts belt-style framework - so employees can earn their white and green security belts by going through self-paced computer based training tailored for Adobe's specific needs," he said. "Brown and Black belts are achieved through practical project-based activities that help improve Adobe's security in one way or another."

Microsoft hosts a community Secure Development at Microsoft to inform developers of new security tools, services, and open source projects and instill secure development practices while creating a collaborative engineering mindset across developers worldwide.

"Microsoft launched its cybersecurity engagement center in India to educate and create more awareness among the developer community and Indian enterprises," said Sandeep Alur Director, Technical Engagements at Microsoft.

For secure codes to become a norm, it is essential for both developers who write codes and companies who employ them to consider the security of code to be of critical importance. It's more than a matter of awareness-developers need to be trained to write codes that are as secure as they are functional. A code that can be written overnight can very well be hacked overnight!

By Shadma Shaikh

The author is a former technology journalist who heads content and communication at Payatu Technologies, the organizer of Nullcon and Hardwear.io.


Shadma Shaikh