Trying to write perfect code is pointless, because it is impossible. As mathematician web3 builder Przemek Chojecki, who was recognized in Forbes 30 Under 30, says: “Don’t try to write perfect code. It doesn’t exist, and you’ll never complete anything if you try.”
This does not mean, however, that developers should give up on addressing security issues in their coding. Cybersecurity is a major concern in the current business landscape, given cyberattacks’ high costs related to business disruption, remediation, and reputational damage. More than ever, it is important to pay attention to security in software code, especially with the rise of low-code/no-code technology, which enables the rapid production of business apps, and DevOps, which emphasizes the shortening of the system development life cycle.
Unfortunately, it appears that security, as far as developers are concerned, will still be back-burnered in the foreseeable future. What are the reasons for this, and what should be done to change this paradigm?
Security is not being prioritized
A recent study by University of Zurich researchers reveals that developers continue to struggle with security issues during code reviews. The study’s findings show that the vast majority of developers agree that companies must do more to support security in software development. However, this is not what is happening in reality. Security remains to be a non-priority and code security is assessed less frequently than reported.
Nowadays, there are secure coding solutions designed to help organizations follow best practices in writing secure code. These are automation tools that stop developers and DevOps teams from committing mistakes or unwittingly creating vulnerabilities in their code. Serving as an aid in “shifting left,” these tools run automated routines to detect, identify, and predict code vulnerabilities. Still, these solutions do not appear to be widely used, as evidenced by the findings in the University of Zurich study.
A survey by HelpNetSecurity affirms this non-prioritization of security in coding, with 86 percent of respondents saying that they do not consider application security a top priority and more than half admitting that they cannot guarantee that their code is protected from common threats and vulnerabilities.
Both the University of Zurich studies, however, offer key hints on how to address the problem. The former asserts that companies should play a more active role in addressing security shortcomings in code review. Rewards or incentives may be given to developers who adhere to best practices and help reshape employee attitudes when it comes to security.
Meanwhile, the latter cites the importance of training in improving developers’ mindset in integrating security in their coding. Companies should provide adequate training to empower developers to write secure code, given that the HelpNetSecurity study finds that 33 percent of developers do not know what makes their code vulnerable and 30 percent believe that their in-house security training needs improvement.
Stack Overflow’s Ryan Donovan says that as much as 7 to 23 percent of code is copied from somewhere else. Code copy-pasting is a common practice, and it is not necessarily bad. It helps developers expedite their projects. It also allows developers to find solutions whenever they get stuck or run out of ideas on how to solve certain problems.
The problem with code cleaning is that it can result in vulnerabilities. One example of which was the cracking of Hyundai’s car security with the help of Google search. A developer says that Hyundai apparently secured its car infotainment system using keys lifted from programming examples. This made it possible to bypass the system by simply searching for and obtaining the relevant files from the internet.
Obviously, the solution to the copy-pasting or code cloning problem is to avoid doing it as much as possible. However, it is understandable that many have to rely on existing code to keep up with their deadlines. In such cases, it is crucial to make sure that generic details are modified, and code security reviews are undertaken.
In the Hyundai example, the vulnerability may have not been that severe, as it only affects the infotainment system and does not enable access to the car’s engine. This vulnerability, however, can be exploited to steal data from smartphones or tablet computers synced with the car’s infotainment system.
Lack of time and skills
Deadlines: this is the top reason why developers pay little to no attention to code security. Software development continues to be mired by nearly unreasonable expectations. It is not impossible to incorporate best practices when writing code if there is enough time for developers to do it. Similarly, code reviews can only be effective if they are undertaken meticulously by skilled and experienced developers.
Going back to the University of Zurich study, one of its notable findings is that code review tends to be inadequate because of the lack of skills and experience of those who conduct it. In most cases, code reviewers are chosen because of their expertise in the programming language used, not their security knowledge and experience.
Time is a luxury when it comes to software development. It would be foolish to insist that development teams should have a lot more time for code review since doing so would inevitably spell the defeat of development companies to their competitors. A more viable option is to provide the right training and a conducive environment for developers to perform optimally.
Companies stand to benefit from human resource investments. They can’t extend project times, but they can do something to make their developers more productive through training and the latest development information and insights.
Also, the use of secure coding automation solutions would help significantly. While these automated tools may not yet be capable of fully replacing human code reviewers, they can help ease responsibilities by spotting common flaws, which usually make up most code vulnerabilities. Human code reviewers can then focus on more complex concerns that may not be addressed by automated solutions effectively.
Secure coding is not impossible
While it appears mostly an aspiration, for now, the integration of security and coding is not an impossibility. There are ways to achieve it, especially with supportive organization policies and investments, the proper training, and the adoption or possibly the standardization of best practices. The existence of secure coding automation tools, which used to be nonexistent years prior, is also a big help.
Secure coding is not perfect coding. It is more proximate to or slightly better than “good enough” code. Nobody would say it cannot be achieved, but it may take some time for it to happen and become the norm in software development.
Review Why Secure Coding Remains Elusive, and How to Address It.