Secure Coding - Interview with Liran Tal

There's more than one way to code, and you'll find multiple programming styles. One aspect that's perhaps neglected sometimes is secure coding.

To learn more about the topic, I'm interviewing Liran Tal, a security expert.

Can you tell a bit about yourself?#

Liran Tal
Liran Tal

Hi! I’m from Israel, married and father to 5 years old Ori Tal. I’ve been dabbling with software and open source since elementary school, mostly through the FOSS movement around the Linux OS. I was drawn to information security, through-out my childhood and adult life.

It’s always been an on-and-off thing until recently. For example, I authored a book about Node.js Security, and work with the Node.js Foundation’s Security working group. These activities led me to consider a Developer Relations role at Snyk seriously. Ultimately I made a move from a software developer and team lead to security full-time.

How would you describe Secure Coding to someone who has never heard of it?#

Taking into account the security aspects of the code we write is as important as ensuring it's performant and bug-free. Secure coding contributes to the overall quality of our software. Similar to other doctrines, to write secure code, we follow best practices, secure conventions, and standards. This way, we ensure that the code we write is following standards and free of security bugs.

Why is Secure Coding important?#

As a developer, I naturally relate a lot to secure coding practices because, as developers security vulnerabilities that manifest due to security bugs begin with us. The state of open source security report from 2018 revealed the median time of a security bug from introduction to discovery. Based on the study, it takes no less than two and a half years!

How does Secure Coding differ from other forms of security?#

There are indeed so many forms for security, as well as verticals in which security kicks in. Good examples are network security or application security. The common dominator, however, is software because the software is eating the world and so just like Software Defined Networking, many other technologies will eventually become software-based.

When we zoom in on the software development lifecycle, security should be embedded throughout the entire lifecycle from planning and design to development, testing, and production monitoring. Secure coding is that first phase in that lifecycle where planning meets implementation.

OWASP has a significant number of resources, one of which is the Secure Coding Practices reference that would serve up as a good starting point, to begin with.

What does the future look like for Secure Coding and web development in general? Can you see any particular trends?#

I believe that we are going to see a lot of automation and developer-empowered workflows and tools. These will help us make sure that we bake security into the development process and not treat it as an after-thought. The trend makes a lot of sense because of the scale that we’re facing.

There are a hundred developers for every security person in an organization. The situation is hard to scale, and it's impossible to run manual reviews per commit which get deployed quickly as we also embrace CI/CD and DevOps. Because of this, we need excellent security automation tools to help us realize good security in our applications.

What advice would you give to programmers getting into web development?#

For anyone getting into software development, I’d recommend to unlock yourself from the chains of frameworks or keeping up with trends. Focus on building things you are passionate about and challenges that fuel your brain. Connect with communities and colleagues so you can enrich each other with knowledge and confidence.

As you are making your way in software, take the time to study essential software development skills. These include the essence of writing tests, the art of debugging, and the importance of software security and the principles of security best practices.

One of these communities is the secure developer where we feature Jim Manico among other great speakers and AppSec influencers to support developers. I take part in this community and invite you to join as we're running webinars, a newsletter and a Slack group for security-minded developers. We cover secure coding practices and all-around web security topics.

Who should I interview next?#

@BenedekGagyi or @AlyssaHerrera\ are going to have interesting stories which I’m eager to read about!

Any last remarks?#

Open source is fantastic, and we’re at exciting times in software and technology in general. Take a deep breath and jump in!

Conclusion#

Thanks for the interview, Liran! As a topic, secure coding is one of those techniques that often gets overlooked and I feel there's a lot for many developers to learn. I can't wait for more tooling to appear in the space to help us develop robust, more secure software.

Need help?