Grace Francisco is a global expert on developer relations and developer strategy. Currently, she is the CMO and head of developer relations at a cybersecurity company called Pangea. In this article, she discusses how developers can add security aspects to code.
Many of you’ve heard the term “shift left security.” Shift left security is about looking at code that’s already been built, doing static or dynamic analysis, and monitoring that code. So that’s all after the code has already been built and deployed somewhere. The gap is in helping developers put security functionality within their code and meet them where they are. Because most developers are not security experts are not given the time to acquire those very deep skills. It is important to meet the developers where they are to deliver secure user experiences.
In 2022, there has been an estimated 2.41 trillion dollars in costs to US businesses because of bad software. That’s just an estimate, and we think that’s a lot larger.
Most of us deal with Personal Identification Information (PII), like phone numbers, email addresses, etc., in our application code and web and mobile interface. This is important information and needs to be protected. If an identity is stolen, a person may be unable to get medical care, insurance, etc.
Another case in the US was an attack on US infrastructure, and people had to go to gas stations to buy fuel in plastic bags. The solution took so long that they had to go to their default backup plans to get things back up and running.
So, from happy coding days, you are in the middle of sad days. You are stuck in the middle of these remediations of all these threads, re-architecting your code, and dealing with all these problems on your application software. Then, you look at the landscape of cybersecurity. And it’s so complex, and there are many players, and not all are doing anything specific to help you, the developer.
Now, we have ChatGPT and AI. People are rapidly adopting it without looking at the potential threats.
When you put in PII or any confidential information into an LLM, you are inherently putting things that may be unencrypted and can be prone to a breach an attack. People don’t think about that when they’re putting their prompts, asking questions, and creating new content. The other reverse of this is that output. It may send you to a phishing site with a malicious link. You need to consider securing both the inputs and the outputs that are coming back.
Here is a short story. Two women were walking along a stream. They heard this child crying and drowning in the water. They both jumped in to save this child and pulled it out. Right after they got out, there was one more child, and then one more, and then one more, and so on. The women were exhausted and flailing. One of them decided to go upstream, where someone was throwing kids into the stream.
This happens when software developers try to plug security breaches as they come. We’re all flailing because of all this insecure software that’s out there in the world.
CISA (Cybersecurity and Infrastructure Security Agency) has recently been publishing around this need for software developers in the vendor community to embrace our responsibility, securing our software making and delivering software that gives secure user experiences.
It is a cultural shift that we all need to embrace in terms of that responsibility. You must continue to educate your developers. It takes time, and this is a continual education process. We, as leaders, need to help build that culture. Security is about safety.