What best best practices should software developers adopt now - if they have not already?
Zinghini: The best thing to do is accept that security is just as critical to building software as safety is to building airplanes, and make a conscious decision to build security into your software development process. Worry about software security before you even start writing code, incorporate vulnerability scanning tools into your continuous integration system, and integrate security testing with your quality assurance process. If you need help convincing your management of the importance of this, use resources like the Department of Homeland Security's Build Security Initiative to communicate the seriousness of this issue.
Is it better to try and find vulnerabilities in apps, or better to rewrite them?
Zinghini: There's no clear-cut answer as to whether it's easier to remediate an existing app or rebuild it to be more secure. It all depends on the quality and complexity of the existing application, and just how bad the security issues are. That said, there are risks involved with rebuilding (it's generally harder to replicate the functionality of an existing app than to build a new one), and there are emerging technologies (like application firewalls) that make it easier to "build a wall" around an app to make it more secure. In the end, it's a judgement call, but I tend to lean towards securing the existing app.
Do mobile apps bring the same challenges?
Zinghini: There's an odd misconception that somehow mobile software is "different", and you don't need to worry about security. That's not true. It's a bit easier to secure mobile apps simply because they are generally smaller in scope than web or cloud apps -- a good mobile app should focus on doing only a few things, and doing them well -- but security is no less important.
What about code written for Internet of Things (IoT) devices?
Zinghini: We're all getting excited about the Internet of Things, and we have to remember that when you connect your "things" to the Internet, you're opening a new attack vector into your network. You need to secure that device just as surely as you would make sure that the new window you install in your home has a lock on it.
Should CEOs be involved with security?
Zinghini: The growing awareness among the software development community that security is important is very encouraging. But this is a grass-roots movement that all too often meets resistance from decision-makers in the organization. The product people want to release "yesterday" and are not receptive to the argument that security takes time, and the budget-makers are not willing to invest in the people and tools that are necessary to ensure the security of their product. The only way that change will happen is to lead from the front: CEOs need to make clear to everyone in their organization that security is "job one", and they need to back that up with time, people, and money.
Sign up for Computerworld eNewsletters.