Developing a security mindset: Tips for software engineers

As a software engineer, having a security mindset is essential to ensure you are developing reliable production-ready software. 

New Relic recently hosted a Twitter Space with Harry Kimpel from Snyk and Frank Dornberger from movingimage to discuss how software engineers can develop a security mindset.

Having a security mindset goes beyond looking at application vulnerabilities and threat prevention. It’s also about considering application integrity and system reliability. You need to make sure your applications don’t negatively impact your customers, monitor your application performance, and handle downtime as well as exceptions and issues as soon as possible.

Based on the Twitter Space discussion, here are eight tips for building a security mindset.

• Shift your security process left. Start thinking about your software's security earlier in the software development lifecycle. It’s a common mistake to consider security later in the development process. Ultimately, security is a recurring process that needs to be part of the entire development lifecycle.
• Make the switch from DevOps to DevSecOps. Build security practices into your entire software development lifecycle by shifting left, automate as much as possible, and simulate threats and incidents so that your teams can deal with actual incidents.
• Try to think of the unhappy path when developing software. Look for edge cases, test them, and plan ways to prevent them from happening. Be aware of default passwords, configurations, operating systems, and similar defaults that are used within your environments. Try to break your code on purpose when testing, and limit permissions so that your users have access to only what they need.
• Ensure you are conducting peer reviews of your code and systems. That way, you reduce the possibility of making a critical mistake or pushing bugs and security vulnerabilities into production.
• Make sure the libraries you use are regularly maintained. Every company is a software company that either leverages software internally or provides software to customers. A security mindset includes understanding that software, how your customers use it, and how it’s used to provide a reliable experience to both internal and external users. A big part of that understanding means checking libraries and third-party packages for known vulnerabilities and ensuring that these libraries are being maintained.
• Develop system redundancies. No matter how well we plan or how hardened our systems may be, there's always a chance that something totally unpredictable might happen, even something as unlikely as a data center burning down. Having system redundancies in place can help you both prevent downtime and rebuild systems in situations where you would have to start from scratch. This could potentially save you countless hours of work. 
• Keep up to date on the latest practices. Security best practices change rapidly as technology advances, so staying up-to-date is essential for developing a strong security mindset. This includes reading industry publications and blogs, attending seminars, and participating in online forums related to software engineering and security topics. Useful resources include SLSA.dev, the OpenSSF Project, and the Snyk Learn Platform.
• Train your software teams. Software engineers play an important role in security, so they should understand the impact of their code and what potential problems or vulnerabilities could arise from it. Additionally, understanding the different components of application development—from architecture design to coding and how they interact with each other—is key to developing secure applications and understanding your entire stack. It's also essential for software engineers to understand their particular company’s security policies, procedures, and guidelines.

Developing a strong security mindset is worth it if you want your applications to remain secure and reliable over time. With these tips in mind, you and your teams can develop a security mindset when writing code or designing systems architectures for your applications.