The third in our series of 2016 National Cyber Security Awareness Month (NCSAM) interviews is with Maty Siman, founder and CTO here at Checkmarx.
Maty is passionate about secure programming and moving secure development education and awareness away from the “back seat” that security has traditionally taken for programmers. Read Maty’s advice for organizations who want to scale their security in 2017 as well as his recommendation for application security awareness training in the interview below.
Before founding Checkmarx, Maty was a senior IT security expert and project manager at the Israeli Prime Minister’s office following six years of teaching application development and working as an IT Security R & D Officer with the national security forces.
Cyber Security Tips – Interview with Maty Siman
Checkmarx: What was your first coding language? Why?
Maty Siman: I got my first computer, an Amstrad 6128, back when I was in first grade at the age of 6. A neighbor of mine taught me Basic for about 4 years. After Basic, I learned Pascal for about 3 years before moving on to C and C++.
Checkmarx: What are two things about your role as a cyber security CTO that you are the most passionate about?
Maty Siman: That’s easy – staying ahead of the curve from a technology perspective, and constantly monitoring new and exciting companies in our field.
Checkmarx: What advice do you have for developers who want to increase security in their code?
1) Adopt and integrate an application security awareness training program that is relevant to the language specific security threats that face your code and one that your developers will actually use, such as Checkmarx’s new AppSec Coach.
AppSec Coach is an easy way for developers to increase their secure-coding knowledge without leaving their development platforms. Working in context with the actual vulnerabilities that have occurred in the code, AppSec Coach opens up in a mock IDE where the developer is able to access a short series of modules which walks them through the vulnerability that they need to mitigate in their code (ie: SQL injection, cross-site scripting (XSS) and others…). Throughout the quick lesson, the developer is shown which lines of code are problematic as well as a step-by-step guide of how to remediate the vulnerability before being sent back to the code that they were working on.
2) Be sure to read relevant application security mailing lists. Additionally, research how real-life attacks have managed to take place in the wild with a focus on which bad coding practices led allowed these exploits and breaches happening.
Checkmarx: Based on your experience, what recommendations do you have for security teams who want to work better with developers?
Maty Siman: While developers really enjoy learning new stuff, and many find security to be an interesting topic, they also have their own development deadlines to meet which can be severely limiting on their ability gain access to new knowledge and research.
Therefore, I recommend creating a “low-friction” process which would be defined together with the security team that educates developers about the most important current, and critical, security issues while avoiding having issues overlap with areas that the developers may have focused on in their own free time.
Checkmarx: Moving forward to 2017, what advice would you have for organizations who are looking to grow and scale their security?
Maty Siman: Start by pushing security to the left of the software development lifecycle (SDLC) and incorporating and implementing it sooner and more often. Be sure to distribute responsibilities to the development team while allowing the security team to stick to managing the process and assisting when questions arise.
Checkmarx’s theme for National Cyber Security Awareness Month 2016 is “Developers Vote Security.” As more and more organizations across all verticals speed up their development and adopt DevOps, the responsibility of security is “shifting left” and falling into the hands of the developers during the development stages of the SDLC as the windows for security testing in the later stages continue to shrink. These interviews are a key part of the content that Checkmarx is sharing in order to empower and educate developers about secure development best practices.
Read more about how Checkmarx can help with your organization’s application security awareness training here.