Cybersecurity Needs All Software Developers

Every year in October, Cybersecurity Awareness Month is an opportunity to remind professionals and home users alike of the peril of current cyber-threats and discuss basic steps we can all take in our personal and professional lives to better protect ourselves. Too often, software developers are left out of this conversation and we miss an opportunity to acknowledge the key role they can play in fighting cyberattacks.

Every day, tens of millions of software developers create the code the digital economy relies on. This code powers connected devices from kitchen appliances to modern data centers and interacts with billions of connected users. This code is a prime target for attackers trying to steal information or disrupt organizations. What started as a simple coding mistake (or “bug”) from a developer may very well turn into the first step of a sophisticated cyberattack. So-called software vulnerabilities enable attackers to bypass the security controls of the device on which the software runs until the vulnerability has been patched. In 2016 alone, more than ten thousands vulnerabilities impacting all kind of software, devices and applications were reported.

A one-sided approach to fighting vulnerabilities focused on patching and testing will not be sufficient given the scale at which software is being used in connected devices. Developers and organizations for which they develop software also have a key role to play in reducing software vulnerabilities by building more secure code.

It starts with training and awareness. A fundamental truth about software is that it will always have bugs, a subset of which are vulnerabilities. Software vulnerabilities are not someone else’s problem. Organization developing software have to commit to a holistic secure software development process and developers have to acquire the knowledge needed to design and create secure code.

This is not wishful thinking. Hundreds of organizations are already implementing a rigorous secure software development process and millions of developers have been trained on software security techniques. We know what it takes. Non-profit organizations such as SAFECode  that was founded ten years ago by major technology companies, including Dell, are making available free on-line training and technical guidance to help developers and organizations successfully develop secure software.

These resources help modern-day software professionals acquire the critical security skills that are rarely taught in software engineering classes:

Thankfully, we are all part of the learning economy. Please join me this Cybersecurity Awareness Month in including software professionals in your Cybersecurity conversation. Make them aware of resources available and the key role they play in strengthening the security resiliency of the digital economy.

About the Author: Eric Baize

Throughout his career, Eric Baize has been passionate about building security and privacy into systems and technology from design to deployment. He currently leads Dell EMC’s Product Security Office and serves as Chairman of SAFECode, an industry-led non-profit organization dedicated to advancing software and supply chain security best practices. At Dell EMC, Eric leads the team that sets the standards and practices for all aspects of product security for the product portfolio: Vulnerability response, secure development, consistent security architecture, and code integrity. Eric joined Dell through its combination with EMC where he built EMC’s highly successful product security program from the ground up and was a founding member of the leadership team that drove EMC’s acquisition of RSA Security in 2006. He later led RSA’s strategy for cloud and virtualization. Prior to joining EMC in 2002, Eric held various positions for Groupe Bull in Europe and in the US. Eric has been a member of the SAFECode Board of Directors since the organization was founded in 2007 and also serves on the BSIMM Board of Advisors. He holds multiple U.S. patents, has authored international security standards, is a regular speaker at industry conferences and has been quoted in leading print and online news media. Eric holds a Masters of Engineering degree in Computer Science from Ecole Nationale Supérieure des Télécommunications de Bretagne, France and is a Certified Information Security Manager. Follow Eric Baize on Twitter: @ericbaize