Everyone should know secure coding principles, says Chrys Thorsen
Infosec Skills instructor Chrys Thorsen says the increased use of apps, cloud computing and the internet of things is changing IT and the need for IT and security professionals to know secure coding concepts, standards and best practices.
As an IT and cybersecurity professional who has earned 40 different IT and security certifications, Thorsen is applying her experience as a certified technical trainer and developed three new learning paths for Infosec Skills:
- Writing secure code in iOS
- Writing secure code in Android (releasing soon)
- CertNexus cyber secure coder
A quickly changing cybersecurity landscape
Thorsen says the average developer in history was always adding security as an afterthought. If they spent a little more time with security in mind, apps and users' data would be much more secure and less likely to leak private information.
"This is what I try to instill in these learning paths — writing code that is hopefully simpler, cleaner and more secure," she said. "The financial and healthcare sectors are leading the way in this and providing some best practices."
Thorsen is leading teams into the DevOps (development operations) and cloud infrastructure space in her role as a CIS admin for a large federal government agency.
"IT and security are moving away from nuts and bolts and more towards using software-based, software-managed networking — and using the scripting languages, especially, to do that," she said. "IT and security professionals need to add to their skills. These courses will help them do that and continue to be on the cutting edge."
Learning from an IT leader
Like many top IT professionals, Thorsen has decades of experience on the infrastructure side of the industry, and she's now focused on managing software development projects and helping train the next generation of IT and security professionals.
She says the distinctions between infrastructure specialists and developers are being erased with DevOps. Starting now, all infrastructure people should understand the basics of coding, and all developers should understand the infrastructure around what they're coding.
"My primary strength is I'm a trainer," she said. "If you want to talk about network security, infrastructure security, pentesting and white hat hacking, that's my wheelhouse. And that's some of what you'll learn in these learning paths."
She added that everyone should have some level of familiarity with coding to write scripts to automate their testing.
"You don't need to be an expert, but you do have to know how to read code and be able to look at something and understand what's going on," Thorsen said. "These learning paths will show you how it's done. Then you'll be examining code and fixing it and writing secure code."
Writing secure code in iOS and Android
Learning paths for the two most-used mobile device operating systems — iOS and Android — are packed with practical tips, tricks and lessons in writing secure code that Thorsen has learned during the past 20 years. She has written the learning paths for beginning developers, but intermediate and advanced developers also will benefit.
In both courses, you will learn about secure code, examine source code and find weaknesses and vulnerabilities, and then learn how to fix the code and test it. The iOS learning path focuses on Swift, Apple's new programming language, and teaches best practices for addressing the most common iOS app security mistakes. You will also learn the limits of Swift as a secure language and how to compensate for those limits.
Both learning paths cover all known significant vulnerabilities and teach how to research and identify unknown upcoming vulnerabilities. Thorsen said that after the courses, you'd automatically be including secure code as you develop.
"First, I lecture on the principle and the why, and then I show examples in code, and I talk about, 'OK, here's where it's done.' Then we have labs where students download and open code to examine it, conduct testing and make security changes like adding a password checker."
Roughly half of each learning path involves hands-on labs for Android and iOS, putting into practice what was discussed first in theory, then shown in examples.
"They build the app in an emulator so that you don't have to have the hardware like an iPhone or Android device. They try it themselves and learn by doing it together," she added.
The iOS learning path contains seven courses and more than 25 hours of material, including topics like input validation, memory corruption, encryption, access control and protecting data and software integrity.
Thorsen is putting the final touches on the Android learning path, which will be released soon.
A solid resume polisher
Thorsen says these learning paths could open up new job opportunities in places where people's data is at risk.
"If you're going to lead a team, or if you're going to be a developer for a company that cares about security, like a financial or health firm that builds their own apps, they're going to care about security. If you're a developer or do any type of quality assurance, you've got to be able to look at code, and that's a big added value," she said.
"There will be organizations that are really serious about security and secure coding. It will never hurt you, and it will probably always help you in a job interview to say, 'I'm not only a developer, but I'm a secure coder.'"
She and her team recently developed an app in Android and iOS that allows people in a developing country in Africa to conduct banking and access financial products. She also worked with a multinational financial company with 40,000 IT employees that pioneers apps and financial services dependent on secure code.
"They're super serious about security, and they do lots of quality assurance. So the opportunities are out there and will only increase in coming years."