SECURITY INFLUENCERS BLOG

Security Influencers provides real-world insight and “in-the-trenches” experiences on topics ranging from software application security to DevOps and cloud security.

START FREE TRIAL

When Developing from Home is Your New Status Quo Due to COVID-19

This past week is one we’ll never forget, even though many of us would like to do so. Beyond massive economic and social impact, the coronavirus disease (COVID-19) is massively disrupting how we live and work. From global travel restrictions to the cancellation of events worldwide, organizations are quickly pivoting to meet the constantly changing effects of COVID-19.

Suddenly, a Work-from-Home Workforce

Last Wednesday, the World Health Organization (WHO) declared COVID-19 to be a pandemic, triggering hundreds of announcements by global companies asking employees to work from home. While some organizations may be better equipped to support a workforce that is virtually 100% remote, many are finding that they are venturing into completely new waters—ill-prepared to deal with the technological and logistical issues that come with such. For example, a remote workforce requires additional identity verification measures, wider use of encryption, and many other parameters that are different from the typical workplace environment.

The COVID-19 work-from-home experience is often not typical of remote work. Workers are being thrust into remote work without preparation, warnings, or processes set in place. For those accustomed to working side by side in the office, suddenly working remotely can be a huge challenge. In some cases, employees may not have a productive place to work. School closings are exacerbating the situation, with many school-age children, who must stay at home throughout the day, causing constant distractions. And with the constant state of economic, political, and social turmoil caused by COVID-19, the desire to look online to keep up with the news can be a constant distraction.

Cyber Criminals Aren’t Quarantining Themselves

Cyber criminals are not taking time off or quarantining themselves, but rather they are ramping up their efforts—taking advantage of the situation and bombarding home-based workers with malware and phishing campaigns. According to new research, coronavirus-themed domains are 50% more likely to spread malicious activity than other domains. Workers who click on links for more information and updates on local school closings, economic news, and other malicious email unknowingly open themselves, and their company, to significant risks.

Simply because workers are now working from home doesn’t mean they are detached from their corporate network. Rather, they are still connected—simply using their home-based Wi-Fi network. These connections expand the attack surface and are often much easier to infiltrate than an enterprise network. Additionally, working on personal laptops and tablets—which are more often used in a home-based office situation—can easily transfer critical data without considering the risk.

Aaron Inness, protective intelligence analyst at RiskIQ, indicates, “In the past, cybercriminals have found success using disasters and global epidemics in ransomware and other malware attacks and developed a pattern we expect will continue with the coronavirus.” 

Work-from-Home Developers Face Distractions

Constant distractions are always a concern for developers writing code. Especially true for a developer who is not accustomed to writing code from her or his home environment, distractions are bound to arise. A distracted developer may unknowingly make simple mistakes that introduce vulnerabilities into the code. Or their lack of focus might cause them to overlook vulnerabilities they might have noticed if working from an office setting.

Vulnerability alerts can also slow down code commits and development cycles. Indeed, alert fatigue is a significant problem, even for developers working from traditional office environments configured to facilitate coding. With each alert taking upwards of 10 minutes to review and nearly 50% being false positives, alerts—both legitimate and false—can significantly impact developer productivity.

Recommendations to Developers on Remaining Focused and Productive

Following are some recommendations for developers who find themselves at home, in unfamiliar territory, on ways they can remain focused and productive.

Excise the coding halts. Traditional application security (AppSec) approaches can be huge distractions, even for developers in an office environment. Static application security testing (SAST) halts code commits while the code is checked for vulnerabilities and those are manually remediated and verified. Instead, developers need AppSec integrated into the application, whereby vulnerabilities are identified and remediated as they code.

Automate where possible. Productivity gains across virtually any professional function today are often tied to automation. In the case of developers, they do not have time for manual vulnerability identification and verification of their remediation. They require an AppSec platform that removes the burden from them for these tasks.

Pinpoint vulnerability alerts that matter. Constant interruptions associated with vulnerability alerts and then the time required to comb through them each day squanders valuable productivity while slowing software release cycles. Instead of pinpointing every vulnerability, developers need an AppSec platform that narrows the list to only those that matter. Those that aren’t applicable because of their environment and configurations they never see.

Dump the false positives. False positives can become a productivity drag for both developers and security professionals who often need to work in concert to address them. Instrumentation-based AppSec can virtually eliminate false positives by following the routes applications take rather than testing code against a blacklist.

Shift left to reduce remediation work. Many traditional security approaches focus on vulnerability identification and remediation at the testing phase of the software development life cycle (SDLC). But waiting to fix vulnerabilities at this stage of the development process incurs many more hours of time identifying and fixing them. Shifting the identification of vulnerabilities left to the build phase, especially when coupled with continuous, real-time testing, can save substantial time.

 

Patrick Spencer

Patrick Spencer

Patrick Spencer (Ph.D.) leads the content marketing and PR/Communications team at Contrast. He has nearly a decade and a half of experience in various senior marketing roles within the cybersecurity sector and is the recipient of numerous corporate and industry awards. After leaving the corporate world to start his own agency several years, Patrick joined Fortinet to lead content marketing and research. His many duties included serving as the editor in chief for The CISO Collective. Patrick’s roots in cybersecurity go back to Symantec, where he spent nearly a decade in senior marketing roles of increasing scope and responsibility. While at Symantec, he served as the editor in chief for CIO Digest, an award-winning digital and print publication containing strategies and insights for the technology executive. In addition to the above roles, Patrick has also served in various senior- and executive-level marketing capacities at several SaaS-based marketing companies.

SUBSCRIBE TO THE BLOG