What news from AWS re:Invent last week will have the most impact on you?
Amazon Q, an AI chatbot for explaining how AWS works.
Super-fast S3 Express storage.
New Graviton 4 processor instances.
Emily Freeman leaving AWS.
I don't use AWS, so none of this will affect me.
AI / Frontend Development / Security / Software Development

Why Grace Francisco Made Developers Dance at a Conference

Developer relations head says it’s time for developers to embrace the Shift Left movement and take security to heart.
Oct 13th, 2023 7:41am by
Featued image for: Why Grace Francisco Made Developers Dance at a Conference
Grace Francisco at the International JavaScript conference. Photo by Loraine Lawson.

Grace Francisco, a former developer, made developers dance to drill home a point: Developers need to shift left and left again to embrace security before writing the first line of code.

“I like to incorporate emotions of concepts because it helps with setting a memory,” Francisco told the International JavaScript audience, who somewhat begrudgedly indulged the dance during her Sept. 27 keynote address. “I’m going to help you understand why we technologists have to embrace this responsibility to be part of that cultural shift. It’s super important.”

Francisco is CMO and head of developer relations at Pangea, which is a security services firm that offers security APIs for developers — so she has a vested interest in selling this point. But that doesn’t mean she’s not right: It’s too little too late to talk about security after an app is deployed. As security experts have warned time and time again, security needs to start with developers.

Plus, this is a real problem: She pointed out one survey had revealed 67% of developers “were honest enough” to admit they knowingly submitted insecure code.

Meanwhile, hackers aren’t script kiddies in basements any more — they’re organized crime and nation states: Highly funded, highly organized and extremely efficient, she added.

“Hackers are going to use AI to their advantage to exploit your code,” she said. “This is why you need to really embrace the responsibility [of] security.”

Personally Identifiable Information (PII) should be treated as the Crown Jewels of the company, she said. At an average of $146 per breach per record, attacks adds up over the course of 10,000 records, she said.

But beyond money, what Francisco wanted to emphasize is the personal impact of a breach. She shared a series of vignettes to drive home the point that when code is insecure, real people can suffer.

  • In the UK, a woman’s data was leaked in a breach involving a mobile phone. An ex-boyfriend was able to take that leaked information, take over her phone without her knowing, learn her new address, and stalk her for weeks.
  • Emergency departments Manchester Memorial and Rockville General (Connecticut) were forced to close and reroute those who needed care to a nearby medical center after a breach caused by a ransomware attack on Prospect Medical Holdings of Los Angeles. Its health care facilities also had to cancel elective surgeries and urgent care; with podiatry, wound care, women’s wellness, and gastroenterology services also suspended.
  • The Colonial Pipeline attack caused massive gas panic across 17 Eastern states and literally had people trying to pour gasoline into plastic bags, she said. Colonial ultimately paid the ransom of $5 million dollars worth of bitcoin.
  • The SolarWinds cyberattack was the largest attack on the supply chain in history involving 100 US companies and nine federal agencies. It’s estimated that at least 1,000 engineers globally were involved in the sophisticated attack, Francisco said, pointing out that, again, these aren’t script kiddies of the 1990s.
  • AI seems likely to add to the problem. Already, it’s lead to public breaches, with Samsung employees putting their code and presentations into ChatGPT, Francisco pointed out.

She compared the problem to trying to rescue drowning children — you can keep pulling them out one at a time, or you can go upstream to stop whoever is pushing them into the river in the first place. So far, developers have been pulling them out one at a time, instead of solving the real problem, she added.

“We as developers, we are doing this every single day that we ship insecure code and the people that are driving the customer journey — that’s you, that’s your friends, that’s your family, that is everyone who has to deal with your code,” Francisco said. “Software’s not regulated. There is no responsibility to the threats that we are imposing on all of our users and we don’t think about our responsibility to security to safety. For our users, it’s equivalent to no brakes, no airbags.”

Group Created with Sketch.
THE NEW STACK UPDATE A newsletter digest of the week’s most important stories & analyses.