Security by and for developers – Breezy Dev Conf

Written by Tarmo Kellomäki
Director, Digital Security & Functional Safety

I had the privilege to attend the first ever Breezy Dev Conference as a speaker. 150 software developers and architects gathered to learn and discuss all about software development. Thank you Mirka, Gambit, and everyone for the amazing event!

My topic of the day was Security by and for developers. Here are the main points for you in case you missed the conference.

How is the cyber weather?

Finnish Transport and Communications Agency Traficom maintains a Cyber weather map. The map is updated monthly with key information on national and global security incidents and phenomena.

According to the latest Cyber weather report, the main threats to consider are:

  • Ransomware,
  • Phishing,
  • Data breaches and leaks,
  • Exploitation of system and technology vulnerabilities from public Internet surface, and
  • Attacks against industrial IoT systems.

Each of these threats are very relevant in software development since the business assets exist almost solely in the digital world. In the worst-case scenario, a software company’s whole business can be lost because of one single cyber incident.

So, what ingredients make secure software development?

Software developers and architects often approach security from a technical angle. Technical security capabilities are important in a development environment, but it’s still the people who make the difference in security.

My recommendation for all development teams is to create a security culture right from the start rather than for example buying a one-size-fits-all cyber solution in your environment.

Here is my four-point approach for secure software development:

  1. Educate every developer on the basics of information security and cyber security.
  2. Start applying security practices – e.g., threat modeling and security requirements definition – in your development practices. It might only take 15 minutes extra in sprint planning to go through the product features against its threat model.
  3. Conduct security reviews internally and/or externally.
  4. Make sure your products and development environment are hardened properly.

We need you, developer!

One speech at Breezy Dev Conf started with the classic words: “Developers, developers, developers…”. I share the same message.

Cyber security needs you, developer! Only you can build your software more secure.