The second in our series of our 2016 National Cyber Security Awareness Month (NCSAM) interviews is with Rami Sass, co-founder and CEO at WhiteSource, the solution that helps engineering executives all over the world to effortlessly manage the use of open source components in their software.
Checkmarx’s theme for NCSAM 2016 is “Developers Vote Security.” As more and more organizations across all verticals speed up their development and adopt DevOps, the responsibility of security is “shifting left” and falling into the hands of the developers during the development stages of the SDLC as the windows for security testing in the later stages continue to shrink. These interviews are a key part of the content that Checkmarx is sharing in order to empower and educate developers about secure development best practices.
Open Source Security with Rami Sass
Rami Sass is an experienced entrepreneur with a rich background in security, R&D and product management. During his time at Eurekify, and later CA, Rami became an expert at designing and implementing complex security management and compliance software systems, and delivering them to the market. Among Rami’s specialties include solving both algorithmic and implementation problems. Implementation of enterprise grade software. Excellent collaboration and technical leadership skills.
Checkmarx: What was your first coding language? Why?
Rami Sass: It was Pascal. I was 14, naïve and didn’t know any better…
Checkmarx: Mac or PC?
Rami Sass: PC all the way!
Checkmarx: What are two things about your role as a cyber security CEO that you are the most passionate about?
1) One of my biggest passions is bringing open source communities closer to the developers in commercial organizations that use their work.
I believe that by managing open source security, more developers can feel more confident in using more open source components when building products for their organizations.
2) Being part of a dynamic community that helps drive innovation. You can never be complacent, but rather keep on developing and improving.
Checkmarx: What advice do you have for developers who want to increase security in their code?
Rami Sass: To keep in mind that security is everywhere and awareness is key. Whether you’re working on web, mobile, UI, embedded or anything else, you’re always on the front line when attacks and breaches happen
Security aspects should be baked in from the first line of code. Your software will probably get additional defenses when it’s installed (firewalls, tripwires, etc.) but none of them will ever be foolproof. At the end of the day, you’re responsible for the security of your code.
Checkmarx: Based on your experience, what recommendations do you have for security teams who want to work better with developers?
Rami Sass: Try to understand their considerations and priorities. No one likes being forced into assignments, or being surprised with more work after they thought they were done.
Try also to get involved as early in the process as possible, ideally at the planning and design phase. This way you can steer the process towards giving security-related tasks more time and resources.
Checkmarx: Moving forward to 2017, what advice would you have for organizations who are looking to grow and scale their security?
Rami Sass: Remember that security is still more art than science, and that despite the multitude of tools and services available, nothing replaces good old-fashioned common sense and good judgment.
It’s very important to prioritize the security of sensitive information and systems, but it’s just as important not to push too hard where it’s not necessary. A good example is password complexity.
It’s usually the case that when passwords have too many requirements, people will simply start writing theirs on post-it notes, and sticking them on their screens. The required level of security needs to be determined by its purpose and context.
During October, for 2016’s National Cyber Security Awareness Month (NCSAM) Checkmarx will be publishing insightful interviews with top C-level executives from leading cyber security companies in an effort to help developers become application security champions throughout the entire month of October.
Read how Checkmarx can help ensure that your open source components are secure here.