Gary McGraw discusses the security risks of dynamic code

Dynamic language and associated development and operations (DevOps) methodologies change and evolve constantly. Due to these intentionally ever-changing dynamic aspects of software, security measures must also be in a constant state of progression.

The old-school software security approach relied on searching for defects at the very end of the software development life cycle (SDLC). When considering modern security measures, software security touchpoints like code review and architecture analysis rely on building security best practices into the SDLC. While the modern approaches are the preferred circumstances, they’re tough to maintain and aren’t often encountered in real world situations.

To maintain the highest security measures within a system’s DevOps, for now at least, a new approach to security needs to be taken into account—one which accounts for massive dynamism.

And while finding a weakness in a dynamic system is one thing, fixing the issue is a completely different challenge. There are many ongoing conversations on finding weaknesses in dynamic systems, but not many are taking place to discuss a solution for these weaknesses.

In some situations, massive dynamism that constantly acts as a moving target can facilitate a security advantage. Google is a participant of this approach; willing to allow parts of the system to fall victim to attacks in order to save the system overall—and more importantly, Google’s user base.

A second approach uses dynamism when testing and applying test cases that are as dynamic and automated as possible. The goal with this approach is to test production systems constantly and resolve issues to create a stronger overall platform.

Eventually, design and code refactoring will be essential in accommodating dynamic programming paradigms.

Learn more as Synopsys’ VP of Security Technology and security expert, Gary McGraw, discusses the security risks and solution approaches of dynamic code.