A developer in their natural habitat is often spotted in a state of deep concentration, coding awesome features to tight deadlines. Feature-building is often our favorite part of the job, and really, itโs the fundamental outcome of the software development life cycle (SDLC).ย
However, as we have discussed before, many of us are still prioritizing features over security best practices. After all, in most organizations, it is set up to be someone elseโs job and adequate security training for us is limited. Penetration testing and static analysis scanning tools (SAST) are just part of the overall process to mitigate security risks, operating rather independently from what we do โ until the code bounces back to us for hotfixes, of course.
Itโs at that moment that many developers think, โDo the pentesters hate me?โ
These interactions often define a team and culture. The concerning thing is, the lack of communication, understanding and overall collaboration has created tension, at least on the side of the developer.
Think about it: Imagine youโve spent a few hundred hours sculpting a marvelous statue, and then someone comes along with a hammer and starts smashing bits off it after theyโve told you its foundations are not up to scratch. Thatโs the perceived dynamic between a tester and developer โ the latter has their software darlings slaughtered by an outsider that hasnโt labored through the process with them; instead, theyโve extended the workload and delayed the satisfaction of shipping code.ย
Having moved into the security space long ago, I can see both sides of the story. And no, pentesters donโt hate developers. The pentester is in all likelihood, overworked and under a lot of pressure. As such, a constant stream of common security bugs that could be quite easily fixed at the code level take up time, resources and headspace away from the really serious issues.ย
I always saw pentesters as kind of like parents. They want you to do well, and when you donโt theyโre not mad, just disappointed.
Now that Iโve put that (perhaps slightly unfair) image in your mind, letโs explore this a little deeper. What has caused this world view among developers?
Resentment for Being Told What to Do
Nobody likes feeling as though theyโve done a bad job, or that someone doesnโt like their work. Sadly for developers, when static analysis and pentest results come back to them, it can feel like a report card. Theyโve been given low grades, but at the end of the day, their bosses assess them on the features theyโve built and the time theyโve delivered them, not whether there were vulnerable elements in the software or not.
For the poor pentester, this is a case of โdonโt shoot the messenger.โ Itโs nothing personal โ they are tasked with finding bugs, and they found them. Granted, at a person-to-person level, maybe some pentesters are grumpier than others, but theyโre not (or shouldnโt be) out to crucify development teams. It would be far easier for both teams if they were on the same page with what constitutes security best practice. Developers are not expected to be perfect; realistically, the testing team is there to protect them from shipping vulnerable code.
Minor Issues vs. Higher Priorities
Itโs true, a developerโs highest priority will always be the building of features, and in this crazy world of rapid digitization, it will have to be done at speed. While some coders have a personal interest in security and secure coding, the general sentiment is that security is โsomeone elseโs problem,โ which inevitably includes pentesters.ย
Most common vulnerabilities are indeed minor issues to remediate โ once known, the fixes are simple to execute for things like cross-site scripting (XSS) and SQL injection. The problem is, many developers donโt realize theyโre introducing them in the first place, and these seemingly minor issues are the small window of opportunity an attacker needs to cause devastating problems for a company. According to Akamai, between November 2017 and March 2019, SQL injection vulnerabilities accounted for 65% of all web-based attack vectors. For a vulnerability that has had a known fix for more than 20 years, that is a sobering statistic.ย
Some pentest teams do assist in the remediation of security bugs, but others will provide a report of the bad news and expect developers to work through hotfixes, even if they have moved onto a different project by the time this happens. And in some cases, the development team may be faced with a report that includes bugs they canโt (or shouldnโt be expected to) fix. It still has to be part of the findings, and again, not taken personally.
The โhappy mediumโ for this would be pentesters, security personnel and development managers acting in more of a mentor role to ensure the team has what they need in terms of effective training and tools, giving individual coders the best chance to succeed and code securely from the very beginning of the SDLC. Both teams really should be meeting half-way to ensure security is considered from the start, as part of a healthy DevSecOps practice.ย
Lack of Knowledge vs. False Positives
Static analysis is an element of the security process in the SDLC, and static analysis scanning tools (SAST) play a fundamental role. And yes, false positives are an issue with these and other types (DAST/IAST) of scanners. Itโs an annoyance in what is already a slow process, requiring manual code review and putting pressure on both developers and pentesters alike. Pentesting personnel have taken time to meticulously set up custom rules to avoid inaccurate readings and provided company-specific guidance, yet some false readings slip through and end up in front of a head-scratching developer.ย
This process isnโt perfect, but the other problem is that many developers lack enough knowledge to mitigate a lot of common vulnerabilities on a consistent basis. With security training rare in tertiary education, and on-the-job training varying in its effectiveness, it stands to reason that there may be some overconfidence at play as well (and itโs not their fault, we as an industry need to get better at equipping them with what they need).
Remediation Tasks
Sometimes, there is an assumption by overworked engineers that pentesters are just hanging in the wings, waiting for the moment to strike by testing an application and raining on the development teamโs parade. They are over-testing, theyโre nitpicking, theyโre creating extra work.ย
The only problem with that is they, too, are overworked (more so, in fact, the cybersecurity skills shortage is at dire levels and getting worse) and simply donโt have the time to test without reason. They are not the sole decision-makers in prioritizing testing; it could have been requested by senior leadership, a customer, as part of a security audit or even determined as a result of a bug bounty program.ย
For a developer, being pulled off current feature-building sprints to work on security fixes is annoying โ especially if itโs not their work. Perhaps a previous team did the last update, or another vendor. However, security is everyoneโs problem. That doesnโt mean every developer has to take ownership of security bugs as though they have made them all themselves, but they do need to come to the party in terms of security being a shared responsibility.ย
Where to from Here?
Sometimes, a mindset shift can be all it takes to make significant headway in solving a problem. Weโve talked about the rather frosty reaction a developer has to less than favorable pentest results, but what if they could turn it into a challenge? Perhaps they could think of the pentester as a friendly competitor; someone they can beat at their own game. After all, a security-aware developer that can eliminate common bugs as they write code is going to make their job much more difficult. By contrast, a developer with no focus on security is going to be comprehensively bested by their pentester counterparts when they can easily break their software.ย
Pentesters and developers may not be joined in harmony 100% of the time, but their relationship can be vastly improved when an organization addresses security as a key priority, and empowers teams with the right knowledge and tools to succeed โ especially developers. It comes down to whether a company-wide, positive security culture is a priority, and if we are to fight the (currently) losing battle against common vulnerabilities, it absolutely should be.




