It’s a scenario right out of a Bond movie. James is charging down a hallway, parkouring over bad guys, shooting everyone he sees in a mad dash to get to the glowing computer screen in a dark basement under the villain’s hideout. Inside that computer: stolen information. Maybe it’s a list of other agents. Maybe it’s nuclear secrets. Or maybe it’s a trove of private e-mails.
If there were any doubt left about the importance of cybersecurity, it most certainly was washed away after the United States’ 2016 election. Hacked e-mail servers and Russian cyber-meddling are still being discussed even after the dust has settled. A topic few people understand or can even describe properly is, perhaps, the most important and individually threatening matter of our day.
(Related: How to get SaaS security right the first time )
Building so bleak a picture is not bellicose or melodramatic; it is in fact a difficult situation to overstate. From wild IoT devices being harnessed and bandied like so many jumpsuited henchmen, and daily, even hourly attacks on almost every potentially vulnerable surface exposed to the Internet, it’s a scary time to be a software developer.
It’s positively Machiavellian, the possible vectors of attack in our modern, target-rich environment. Christopher Walken’s Bond villain Max Zorin just wanted to blow the entire Silicon Valley into the Pacific Ocean so he could corner the market on chips. It never even occurred to him to use his computer empire to take over the world in a far subtler way.
In truth, the era of SPECTRE and uniquely festooned bodyguards climbing buildings to steal documents are over. We’re now in the era of Alan Cumming’s Boris from “GoldenEye.” In our modern dystopia, Target’s millions of customers are taken by a mastermind, half the Internet is kicked offline by zombie IoT devices, and an entire political party has its body of e-mails dumped into the public domain at the behest of a foreign power.
Regardless of which party is in power, there have been and will continue to be governmental pressures to deal with the rising tide of computer security threats. The ever-looming danger on the horizon is one of legislation enacted without a full understanding of the problem, such as has happened with the Computer Fraud and Abuse Act, a federal law that can make it a crime, in certain cases, to violate a terms of service agreement.
The Federal Trade Commission has, for some time, been putting the screws to router manufacturers that make dishonest claims about their security offerings. Just last month, the FTC set its sights on D-Link as a vendor not supporting its old devices with software patches and security updates. In February 2016, the FTC settled with Asus over router insecurity, as well.
Jessica Rich, director of the FTC’s Bureau of Consumer Protection, said, “Hackers are increasingly targeting consumer routers and IP cameras—and the consequences for consumers can include device compromise and exposure of their sensitive personal information. When manufacturers tell consumers that their equipment is secure, it’s critical that they take the necessary steps to make sure that’s true.”
It’s a difficult climate, and one that is rife for liability, potential legislation, and, no matter what, bad publicity. Anything and anyone touching your software development process needs to be thinking about security first at all times. Otherwise your entire company could be on the wrong side of a very bad cyber threat.
Compounding the issue is the perception that security in the software development life cycle is a burden; security is often seen as a trade-off with velocity. It’s enough to paralyze a development team with scheduling nightmares.
There is hope, however, in the form of DevOps. As the DevOps and container revolutions continue to spread through enterprises, Tim Jarrett, senior director at Veracode, sees a window for change.
“What a lot of security folks are seeing is that this is an unparalleled opportunity to say, ‘As long as you’re automating your software development process anyway, let’s take the time to automate the security testing in there as well,’” he said. “They’re saying this is our change moment, this is where we can take the opportunity to build testing right into that process so it’s not an additional tax on the development team.
