Adapt or Die: The Cyberwar Imperative for Developers
The JBS ransomware attack by the REvil ransomware network has stepped up the societal impacts of the ongoing cyberwar with Russian criminal networks. First it was a major US pipeline, now it is a global food producer with facilities impacted in the United States, Brazil, and Australia.
Immediate, multi-pronged action is needed. The US government must now consider taking steps against the threat actors directly or via the Russian government. And, as stated today by the White House in a cybersecurity memo, IT leaders and organizational executives must immediately take steps to deal with the threat.
But it is also up to everyone in business settings to take defensive actions. This now includes all my fellow Salesforce developers.
Research tells us that fixing a flaw in software systems is hundreds of times easier during development, rather than in production. This realization translates into a new security focus on developers and the devops process. So, how can big companies like JBL start fixing their cybersecurity problems and how can devops and developers take action starting today?
Silos and High Priests Are the Problem
The mainstream media is asking “Why is this happening to us?” The answer is complex, but it has to do with the way American business runs at a basic level. Most companies organize lines of business according to product divisions. And within each division workers are organized in a chain of command like how the US military organizes its troops. This hierarchical thinking is at the root of many organizational problems, such as unnecessary political competition and insulating groups of workers, otherwise known as creating silos.
When a company applies hierarchical thinking to cybersecurity, that company has already given up its defenses in the cyberwar. A CISO with a department of high priests who impose cybersecurity doctrine and covet a mysterious sense of power does not engender trust within that company.
Instead, forward-thinking companies are putting cybersecurity personnel directly into the division-level IT teams. Companies cannot simply mandate that the troops get more secure, they need to send more troops to do the job.
It is as if an army commander forgot to embed the medics during the storming of Omaha Beach in World War II. Just like embedding a medic with every squad during wartime, company leaders must staff up with cybersecurity specialists to inhabit every corner of the modern enterprise. Cybersecurity doctrine needs to backed up with new headcount.
Developer-First Security Tools
As a developer I know how it is easy to slough off security concerns. That is because while I am completely focused on coding a business rule, I can easily rationalize that I will check the security stuff later. Salesforce developers are frequently blind to profile and permission set issues. And why not, when Apex allows for operating in a “supervisor” or security-free mode?
Salesforce has addressed this particular issue with the “WITH SECURITY_ENFORCED” clause in SOQL. To fix my security coverage, I used VS Code, the Apex PMD static testing tool, and the VS Code extension for Apex PMD in an interactive way to upgrade my DML statements with the new statement. That was easy enough, and then when I ran my unit tests I eventually found and fixed potential data security issues. At least these errors were found before a commit or deploy action but were corrected more interactively.
Most security tools are not interactive and work in a batch mode. After a commit, for example, a security scanner fires up, ingests the code, reports anomalies, and possibly stores the results. The scanner then sends error messages and remediation advice back to the developer, who processes the annoying results. This batch-oriented process is just another feature of Salesforce development that makes the whole developer experience seem terribly slow and somewhat annoying.
If, to prevent security problems in the first place, we are asking developers to take on a greater security burden, then they deserve better tools. Developers need tools that are interactive and engender a sense of productivity and power.
Security and testing tool vendors need to imagine new ways of integrating their tools with VS Code. More Salesforce cybersecurity tooling that works with Salesforce languages directly in VS Code without introducing annoying batch processes is needed.
Cybersecurity Developer Heroes Wanted
I hope developers will take the initiative and demand more from tool vendors. Who does not want to produce bulletproof code from the beginning? But corporate silos have isolated cybersecurity knowledge and resources away from a developer’s daily life. And when the new security doctrine comes down, we do not get the weapons made for the war we are now fighting. For now, until the medics arrive, only individual developer heroes will help their own squad fight effectively in this new war.
But is it as dire a situation as my “Adapt or Die” title implies? Yes, because the cyberwar is real and has the potential to impact daily life as much as the coronavirus. Infrastructure attacks can have lethal consequences by shutting down parts of society. As developers on the front line, we need to be talking more about cybersecurity and finding ways to improve our competency with more tools like Apex PMD and its VS Code Extension.