As a software consultant, I’ve involved in lots of projects and teams, working with lots of super energetic developers. But believe me, working on a startup project is totally different to a large scale project. One of the most important concerns in a large scale software development is security. When you are working on a project like a ‘Banking solution’, ‘ERP solution’ or ‘Aviation solution’, having a secure software is not just a concern, it is a ‘must have’, and lack of it could fail your project completely.
In these years, I’ve also consulting to some security departments of Iranian banks to improve their software security via optimizing their SDLC (Software Development Life Cycle). Working in this area, I have found that most of developers do not see ‘Secure Programming’ as their daily work. Instead, they see security tests, as a ‘Final Test’ which just burdens them with lots of unrelated tasks.
Another problem, is that most of developers think that just adding some security related features in their software makes it secure. For example, they think adding authentication and authorization using some libraries makes their software secure.
Adding just some security features does not make your software secure!
So, a very good practice to secure your software, is to bring the ‘Security Mindset’ into every step in your SDLC process. As a developer, When I am writing a piece of code, I should know about the security impact of every line of my code.
It is always one of my concerns how could it happen? Via designing some boring security courses for developers? Via publishing some rigid standards that developers will not even study!?
Behsazan Mellat Solution
In fact, it was a concern until last week which I had a great chat about this topic with Meysam Namayandeh, a good friend of mine. Meysam is IT Security Manager at Behsazan Mellat. He described me how he and his team reached to a very handy solution in their organization, which really excites me. They developed a software to run a contest in their organization called: ‘Capture the Flag’. CTF is a famous contest in security field and they localized and optimized it for organizations. They designed it in a way that developers of their organization can hack some of the predefined security scenarios.
Running this contest brings lots of fun into the atmosphere. It helps people to unify as some teams and compete together by learning and hacking the security scenarios. I think it drastically affects the way that developers make their future code.
The interesting part is that they make it available as a service for other organizations too. So, if you are interested to have such a process in your organization, just let Meysam konw!
Here you can watch a brief about how their CTF works: