Overcoming Vulnerabilities via Developer Incentives


Incentives matter. Whether they’re monetary or nonmonetary, a perceived reward can sway human behavior by motivating or prompting them to achieve a certain outcome. A holiday bonus for a job well done can prompt people to be more diligent in their work in order to hit a certain target. On a larger scale, governments will tax behavior they want to discourage (for example, taxes on tobacco and alcohol) while offering tax relief for practices they want to encourage (for example, prompting people to save money in the form of pensions.)

To put it simply, incentives are encouragements that nudge behavior. But make sure that these nudges are in the right direction. For instance, an incentive for call center workers to complete calls as quickly as possible sounds like a smart move since this means getting to more queries, which equates to less wait time for callers. However, if the metric being judged is call completion speed, rather than successful call resolution rate, this can result in call center workers hurrying to get off the phone, rather than working hard to resolve customers’ queries.

Software vulnerability management represents another area whereby the wrong incentives can equal bad news. Representing a major risk to users and developers alike, software vulnerabilities can lead to some disastrous outcomes. What’s needed is a change in developer culture — and some smart tools like a web application firewall, to boot.

Fighting back against vulnerabilities

A software vulnerability is a term given to a bug or flaw in a piece of software that can be exploited by bad actors to cause harm — whether that’s spreading malware, extricating unauthorized data, or seizing control of a system or piece of hardware.

Fortunately, in the age of over-the-air updates, software vulnerabilities can be fixed after the fact. That’s very different from the bad old days, in which software was essentially fixed in place the moment it was released to the public in a format like CD-ROM. While updates could happen at a later date, this typically meant issuing new physical media, resulting in an unwieldy solution to a big problem.

Today, developers can release updates as frequently as they want, adding new features or patching up vulnerabilities before they can be seized upon by bad actors.

Move fast, break things

That’s good news — at least, in theory. In reality, the idea that security issues can be addressed at any point can mean that its importance is downgraders. Rather than waiting to release code when it’s ready, developers are instead incentivized to ship code that works as quickly as they can. Security is not a priority because it is seen as less important and inhibiting rapid development. As the now-classic Silicon Valley mantra goes: Move fast and break things. (The implication is that you can always fix them later on if you absolutely have to.)

While most would view AppSec as important, it’s also sometimes viewed as a hindrance, with those who work in this area being perceived as the feet-dragging, innovation-stifling busybodies who would rather send apps back for rewriting to alleviate potential vulnerability. If a software engineer has to spend their time doing this, they are therefore unable to use that same time to create new features or even entire apps. If speed is the main incentive they’re judged by, this is a bad situation to be in.

A new way of working

What is needed is a way of rethinking the way that developers are incentivized. Instead of just being recognized for speed, developers should be rewarded for writing — and revising — code so that it has a low vulnerability rate. In other words, secure design should be the gold standard.

The reason for this is simple: Vulnerabilities can be disastrous. They can leave data open to tampering, destruction, or theft. Injection attacks or other cyber attacks such as cross-site scripting (XSS) can, meanwhile, seize upon vulnerabilities to trick systems that are targeted so that they carry out commands unintended by their rightful operators. They can be used to install harmful malware or to elevate attackers to privileged admin access, giving them the power to perform actions available to only the highest level regular users. The results can be costly from a financial, reputational, and productivity perspective.

Pick the right tools, too

But companies and users should nonetheless avail themselves of the right cybersecurity tools in the event that vulnerabilities do (inevitably) slip through the gaps. Fortunately, the right tools are there to help. Solutions like web application firewalls (WAF) and web application and API protection (WAAP) help to protect against any vulnerabilities using smart technologies able to spot impending threats and stop them in their tracks.

Incentives matter. Just make sure you’re motivated by the right ones — like providing the absolute best service to your customers. That’s an incentive everyone can agree is the right one.

About the author

Mary Woods

Mary nurses a deep passion for any kind of technical or technological happenings all around the globe. She is currently putting up in Miami. Internet is her forte and writing articles on the net for modern day technological wonders are her only hobby. You can find her at mary@pc-tablet.com.