And just like that, we’re on to the fourth and final week of Cybersecurity Awareness Month. All October, we’ve been sharing insights straight from Checkmarx experts who are deep in the software security trenches on a day-to-day basis. If you’ve missed any of the previous Q&As, catch up here:
- Week One: Erez Yalon, Security Researcher
- Week Two: Susan St. Clair, Evangelist & SME
- Week Three: Kurt Risley, AppSec Educator
We’ve covered a lot of ground, but one area we haven’t hit on quite yet is the developer side of things. In today’s modern DevOps world, developers are a critical gatekeeper of security. It’s no easy task balancing speed of software development with security, so we sat down with Jose Pereira, a Checkmarx developer, to understand how he accomplishes this.
Thanks for closing Cybersecurity Awareness Month out with me, Jose! Let’s start things off by getting a glimpse into what a normal day looks like for you.
My pleasure, thank you for inviting me.
It’s getting more and more difficult to define what a “normal day” of a developer looks like these days and things at Checkmarx are following the trend, which is very exciting. The part of our business that I deal with is programming languages processing, and on one day, you might find me coding a compiler for some new upcoming language, and the next packaging, testing, and monitoring our SAST tools on a customer site.
The part I enjoy most is adding support for new languages and versions to our solution. By researching and testing its features, especially the ones that have relevance in terms of software security, which our AppSec team helps with. Then, I plan the solution i.e. how we as a team can further extend our engine to analyze these features and produce results. QA (quality assurance) will help me define appropriate tests and automations for faster development and maintenance. And, finally from there, it’s time to code!
What attracted you to becoming a software developer? What was the path to getting to this role like?
I’m not going to tell you it was my childhood dream to be a developer because I rather parachuted into it after high school. I loved videogames, still do, and am a practical person. I knew sitting in front of a computer for 12 hours a day was not an issue and I like the rush of chasing a solution to a problem. With that, Computer Science seemed like a good match. After my first year of college, I realized how lucky I was for landing where I did and now am very passionate about this track.
After earning my degree, I earned my master’s in formal methods of software development & compilers, and right after the dissertation, I was joined Checkmarx.
This year’s Cybersecurity Awareness Month theme is “Do Your Part.” Developers play one of the most important parts in software security. How has this evolved over the past few years?
Over the last few years, we’ve heard a lot of buzz words and phrases like “shift left” or “infrastructure as code.” What these concepts result in is increased complexity and responsibility on developers. On one hand, we want to fix bugs as early in the SDLC as possible, being of security or functional nature, and on the other, everything is suddenly code and has to be safely configured and maintained. It can be overwhelming, so it’s more important than ever that we as coders develop a “software security” state of mind.
At the end of the day, it is the developer’s attention to detail and proactivity that matters most.
Where do you feel developers add the most value when it comes to building a culture of software security?
The process of code reviewing is deeply embedded in our daily duties and is invaluable. Explaining our work to someone else gives us a new perspective, and in my opinion, a software security culture spreads rapidly when such procedures, where developers are gathered, take into account the security aspects of code.
As companies increasingly shift toward DevSecOps, what is your advice for developers who are trying to adjust?
Shifting from DevOps to DevSecOps is pretty much a software security “shift left,” which means developers will be much more involved in the software security procedures. Remember, you are empowered to suggest changes. Ask for related training if you feel like it’s something you need. Choose the appropriate automation tools and take the time to tweak them to your fitting – after all, you’ll be most responsible for their management. Most importantly, define a procedure – such as adding a security validation step to the SDLC – and follow it religiously, as it’s the only way to be in a continuous state of compliance.
What does success or a job well done feel/look like to you?
For confidentiality reasons, sometimes, customers cannot share erratic scenarios with us for fixing so we have to work directly with them in their environments to realize what’s actually wrong. I recently had the opportunity to do this and it was very gratifying, handling the process end-to-end and witnessing the true value of our work amongst our customers. It made me realize how important it is to match their needs. This, to me, is what I consider to be a successful day on the job – achieving what the customer requires and having it impact their day-to-day operations.
Any advice for aspiring software developers?
Take your time to learn the basics. We work with many high-level abstractions these days and knowing the intrinsic parts of your programs is a lot easier when you know what lies under the hood. Moreover, when you are there, everything will click much faster, giving you the flexibility to work with any technology at a faster pace. Not to mention going beyond the functional part of your programs and prioritizing security since we are on the subject.
If you’ve missed any of the items we’ve put out over the course of Cybersecurity Awareness Month, you can find them all in one convenient spot right here. Thanks for following along, and we’ll see you next year!