K
  • software_developers_150x150

    By Andy August and Rhonda G. Chicone

    I recently read an article by one of my colleagues (coauthor of this article) that asked whether software developers were the Achilles’ heel in regards to cybersecurity. 

    Because we are both software developers and educators, we decided to answer the question. Yes, software developers are to blame for insecure software, but not entirely. Typically, software is not created by just one person; it is a collaborative effort, requiring input from many individuals within an organization. 

    In an organization, the requirements typically come from customers and/or stakeholders. A good example of a stakeholder is a marketing department. A business analyst or requirements engineer will prioritize the requirements for the features of the software system. A schedule is then put together. The software development team is monitored to be sure the requirements are met when creating the software system. Finally, the software quality assurance team will verify that the requirements have been met.

    At any time during this process, individuals have the opportunity to ask about the security implications of a feature for the system. The best time to bring up such concerns is when the feature is first proposed. So, we place the blame on the entire team, not just the software developer.

    What Is the Solution?  

    We propose a team solution; everyone involved in the project has an important role and responsibility to play when it comes to secure software development practices. The organization has to make security an essential part of the software development life cycle starting at inception. Security implications and concerns need to be considered during every step of the life cycle, which includes the requirements phase, the software design and implementation phases, and the testing and the maintenance phases. Mind you, it doesn’t matter what software process methodology (waterfall or agile) an organization is using, as security needs to be a part of the organization’s culture. Security should be one of the goals of the system as opposed to an afterthought or an oversight. The stakeholders may not know the technical solution that is needed, but they should have their eyes on the bigger picture and recognize the need for secure software systems. Also, an organization should strive to hire the best people it can find. In addition, organizations should use tools to communicate, collaborate, increase productivity, and monitor progress of ongoing projects.

    What Can Developers Do? 

    The software developer is responsible for creating software that will operate in a safe and secure manner. The environments that software runs within have changed quite a bit with the advent of mobile and cloud computing. Can one person be expected to know all of the intricacies?

    In any software team, there are different levels of expertise. The junior members are often mentored by the more senior members. The technical lead and architect should emphasize security in every solution they design. It should always be a design goal.

    There are well-known techniques that can help to improve the quality and security of software systems. As a leader, the technical lead architect should inspire the software development team to get on board and excited about using these techniques, as they will go a long way toward solving the security issues.

    1) Design Patterns 

    The software architect is the most technically seasoned member of the team. It is the role of the architect to lay out the original solution. This design will be at the core of the entire system. The initial design sets the pattern for the rest of the team to emulate.  Create an example of validating input and handling various types of software exceptions (otherwise known as exception handling). Take the time to teach the team. The architect needs to be aware of best practices and what technologies can be used to solve the problem at hand.

    One way to accomplish this is to make use of best practices. These are known ways to solve a similar problem. These are called design patterns. Can one person know about all of these? It takes time to become a seasoned software developer, so take advantage of those who came before you.

    2) Software Frameworks 

    Another way to produce secure software is to make use of proven frameworks. Frameworks are special libraries of software routines. These special libraries are written by software companies that specialize in specific areas. The software company provides a reusable well-defined interface for software developers to use.

    Many frameworks have already integrated many security features.

    3) Always Make Use of Standards 

    Software standards help to ensure interoperability. In some cases, the software systems may have to communicate with other software systems. Standards can be used in this case. They are specifications to common problems in software engineering. There are hundreds standards in the computer industry.

    4) Use Coding Standards 

    The code the software development team creates should adhere to naming and style conventions. These conventions can be defined by the software development team. What is important is that the code is uniform, and that the coding standards are agreed upon and used by every software developer. In addition, code reviews can be very beneficial to a software development team.  Reviewing is when a completed piece of code is examined by another software developer. It is similar to peer reviewing and it helps find issues that the original software developer may have missed.

    Regardless of the experience of the software development team, it is crucial to emphasize the need for security within the software development process. Everyone involved in the process must own the fact that security is a goal. Once software security becomes a goal, the culture of the team or organization will start to change. Software developers will strive to consider security in every solution they create thereby reducing cybersecurity risks. 

    Interested in this career? Check out Kaplan University's IT resources here.

    Andy August and Rhonda G. Chicone are professors at Kaplan University. The views expressed in this article are solely those of the authors and do not represent the view of Kaplan University. 

    Back to Articles and Publications

Request Information



  • Step 1 of 2

Information Technology

Featured

  • US News Promo
  • Paying For School
  • Kaplan Commitment