This October 2016, Checkmarx is celebrating National Cybersecurity Awareness Month (NCSAM) with content focused on educating and empowering developers about secure coding practices under the slogan “Developers Vote Security.”
As more and more organizations across all verticals speed up their development and adopt DevOps, the responsibility of security is increasingly falling into the hands of the developers during the development stages of the SDLC as the windows for security testing in the later stages continue to shrink.
Each week, we will publish insightful interviews with C-level executives from leading cyber security companies in an effort to help developers become application security champions throughout the entire month of October.
Our first interview is with Dan Cornell, the Chief Technology Officer and a Principal at Denim Group, Ltd.. Dan is a sought-after speaker and security expert who has spoken at numerous international conferences including RSA Security Conference, OWASP AppSec USA and EU, and Black Hat Arsenal and his Tedx talk “Cybersecurity: It’s All About the Coders” can be viewed here.
Dan is a recognized expert in the area of web application security and with his 15+ years of industry experience, we thought he would be perfect appsec expert to kick-off National Cyber Security Awareness Month 2016 on the Checkmarx blog.
Talking Secure Development with Security Expert Dan Cornell:
Checkmarx: What was your first coding language? Why?
Dan Cornell: Q-Basic because it shipped with my Tandy 1000 EX.
Checkmarx: Mac or PC?
Dan Cornell: Mac.
Checkmarx: What are two things about your role as a cyber security CTO that you are the most passionate about?
Dan Cornell: First – I love working with teams to see them make real progress securing their software. When they can start to get a handle on their application portfolios, make headway getting applications under a testing program, begin transitioning vulnerabilities to be software defects, and ultimately see vulnerabilities get fixed – that is really exciting because they can then take that data and those lessons learned and use them to accelerate their progress.
Second – I love seeing what security teams do with ThreadFix. The best ideas in the product haven’t come from our product team, but rather from the security organizations deploying it. I love to see folks using the capabilities of the platform and wiring them into their processes in interesting ways to solve the specific challenges they are having in their application security programs. Enabling other practitioners to creatively solve problems is pretty gratifying.
Checkmarx: What advice do you have for developers who want to increase security in their code?
Dan Cornell: Validate inputs, encode outputs, and think about authentication and authorization.
Checkmarx: Based on your experience, what recommendations do you have for security teams who want to work better with developers?
Dan Cornell: The best thing they can do is hire developers to be on the security team. Security teams need to learn about what is driving the development teams in their organizations and find ways to latch onto those trends. Security isn’t going to be able to “stop” DevOps from happening because organizations need the speed and flexibility DevOps promises to stay competitive. But if the security teams can understand what the development teams are trying to accomplish, and understand development tools and practices they can earn themselves a seat at the table to provide a security perspective.
Checkmarx: Moving forward to 2017, what advice would you have for organizations who are looking to grow and scale their security?
Dan Cornell: Automate absolutely everything you can – you have to have the baseline bozo stuff handled so that you can focus your talent on the highest-value activities. Automation is the first step that frees up those resources to do their best work.
To learn how DevOps is changing the way businesses develop apps, be sure to read “4 Keys To Integrating Security into DevOps ” here.