First aid for vulnerabilities: don’t do everything yourself
Never did code contain more vulnerabilities. Which makes sense, as there was never more code than today. Yet the risk grows asymmetrically. In the year 2000, there were barely 1,020 registered CVE vulnerabilities; in 2010, there were not that many more: 4,155. But in 2017, that number exploded to 14,714 CVEs, coming from just 6,454 a year earlier. And in 2021, as many as 20,149 new vulnerabilities were detected.
Not every software bug is equally serious, but the figures show that the number of leaks in software is growing rapidly. Moreover, it is no secret that organizations are not always quick to install important patches, which means that older vulnerabilities continue to linger. Add to this the fact that criminal cyber organizations today take the form of well-organized companies with a strong appetite for profit, and you understand why it is more important than ever to make your code watertight.
1. Follow the rules of art
Easier said than done. As a developer, you can first and foremost adhere to some best practices. Some bugs are the result of laziness and can be easily avoided. Are you building an application that processes input from users? Then make sure all that input is properly validated. SQL injection is a common and dangerous problem.
Also provide quality error notifications, sufficient encryption for sensitive data, HTTPS as standard for web pages, a secure login system when appropriate,… There is no longer any excuse for a user who is presented with the message “your password is too long”. Everyone makes mistakes, but keeping security in mind from the beginning when writing an application will go a long way.
2. Vulnerable dependencies
The most dangerous vulnerabilities, however, are not your fault. Most applications rely on popular third-party libraries. When a zero day manages to sneak in there, the gates are opened. Consider the innocent Log4j library in which the Log4Shell vulnerability exposed half the world to cybercriminals.
Analyzing all these external libraries yourself is clearly an impossible task. Fortunately, there are tools to help you. These use automated scans to show when your application relies on a library with a known vulnerability. In doing so, the security solutions do not necessarily look at the code itself, but check whether the open source components can be trusted. You might not want to integrate that old version of Log4j after all.
3. Scanning your own code
Such automated tools also exist for your own code. The solutions come from both traditional security companies and specialized parties. They are able to find common bugs that you yourself might overlook on a busy day. This can be done in the GitHub repository where your project is parked, or directly in your IDE. That way, you fix errors even before your code is compiled, and certainly before it goes into production. Prevention takes less time than cure. An additional advantage: some tools also suggest an immediate solution.
Finally, it is best to assume that even best practices and handy tools do not provide absolute security. The more secure the environment in which your app runs, and the better the configuration around it, the less likely that something will go drastically wrong. That collaboration on security between the developer and the operational IT team is also part of DevOps. When everyone takes responsibility and follows best practices, there is less risk that something will fail.
4. More than a patch
And lastly, if a component does have a bug, or if you have made a mistake: patch right away, but do not immediately shut down your laptop afterwards. Did the patch address the root of the problem? Or did you merely put a band-aid on the wound. Recent research by Google Project Zero revealed that half of the zero days discovered in the first half of 2022 were a variation of a previously discovered and poorly patched bug.
The developer who takes security seriously, upholds the right culture and deploys tools and resources whenever possible, is well-armed against the ever-increasing threat landscape. That is something you can be proud of, and hopefully it will also be appreciated in the company you join.
Safety first! Does that immediately make you think of cybersecurity, too? Are you a crack at providing first aid for vulnerabilities? Then we definitely have a job for you. Check out our vacancies!