“I want to write really insecure code today”


May 7, 2013 By Derek Weeks

This is the last in my series of blog posts on my favorite quotes from the Security at the Speed of Development webinar with Wendy Nather, Research Director, Security for 451 Research and Ryan Berg, Sonatype CSO.

When asked how organizations can hire good security talent in today’s competitive marketplace, Wendy noted:

  • “Some of the best app security people that I have seen are really good developers that picked up the security mindset and learned more about it. If you have really smart architecture people… developers that already know your applications, and they have the right mindset to learn the hacking side of things, they can make really good app sec people.”

Ryan went on to explain:

  • “Developers are the front line – but you really need to have both. Since developers understand the development process they make good security people… Having someone that is part of the agile development process, who understands the business requirements. You need the security angle but you need to think about usability and how things might be exploited. Developers can bring a balanced view because they understand how the development organization works.”

And Ryan commented on how management has to be committed to security:

  • “I haven’t found a developer that says ‘I want to write really insecure code today’… half the time they don’t have the tools, the training, or the backing of the organization that says security is an important thing and this should be something that is part of your day-to-day responsibility.”

We believe Ryan is correct, developers want to write secure code, but they lack tools that help them do this without causing development delays. Today’s security tools aren’t designed for developers and they aren’t designed to support agile, component-based development approaches. The Sonatype CLM was designed to address this issue.

  • The CLM provides information in the IDE that helps the developer pick the best component from the start. This eliminates downstream problems that are more costly to fix.
  • The CLM integrates security, licensing, and quality information in the tools that developers use throughout the development lifecycle. Developers don’t have to learn new tools or become security experts to use the information.
  • The CLM inventory and vulnerability information is generated instantaneous – it does not require a long running scan that can’t be integrated naturally into the development process.

For more information about the CLM check out the product tour.

Make sure you read Wendy’s research Mission Impossible: securing the open source software supply chain with Sonatype.