Want developers to code with security awareness? Bring the training to them.
These are exciting times, with digital transformation bringing new disruptive technologies that impact the way we work, sleep, eat and how we spend our personal time. As new competitive entrants give consumers more choice and business models become more agile, tech companies have the opportunity to excel with new exciting technologies that make their customers’ lives easier. For developers, this fast paced world offers plenty of opportunity to be part of something great. The chance to make their mark on a project that would affect others for decades to come.
New opportunities emerge, so do new risks.
New digital business models are causing new weaknesses in infrastructure that can be exploited, leading to a hacker attack every 39 seconds. Considering that almost half (48%) of organizations knowingly push vulnerable code in a bid to meet deadlines, this presents tremendous risk (more on that, here). For this reason the start-left approach to application security is a wise business decision. A lot of the security risks companies face come from vulnerabilities in code. So it makes sense to encourage developers to write quality code that is secure, so as to minimize the chances of finding vulnerabilities later in the development cycle. However looming deadlines to release those amazing digital solutions make it hard for developers to find time to pick up the mantle for security. Also, because security hasn’t historically been a developer’s priority the required skills lie within the AppSec teams, not with developers… So how can we solve this dilemma to achieve a software development cycle that is both productive and secure?
High quality and secure code is essential
Given the circumstances outlined above, you can understand why security is put in the “too hard” basket during the coding process, and left to the security team to work out. Too many competing deadlines, not enough security knowledge, and no personal reason to care about security with everything else going on. However, there is simply too much demand for secure code for this approach to continue. The good news is developers are increasingly aware of this issue: a recent survey revealed that nearly nine in ten developers (89%) acknowledged that undetected errors take a big toll on the business. Developers also know that secure skills make them more attractive employers. So with this in mind here are 3 things that companies could do to help their developers be better equipped to write quality code that helps them make the headlines for all the right reasons.
Let’s make DevSecOps work
Security is still the domain of the AppSec team (who, when working with security-aware developers, will have more breathing space instead of fixing common bugs on repeat). A functioning DevSecOps process requires every member of the team to have the support and tools they need to share the responsibility for security, and the right kind of training is paramount. Balancing the right suite of tools and training requires the insight of AppSec professionals willing to work closely with devs to inspire them and drive positive change.
Give developers the right security knowledge
The 2020 Data Breach Investigations Report from Verizon specified that 43% of data breaches could be attributed to web vulnerabilities. Developers are not receiving effective training; not in tertiary education, nor as part of workplace upskilling measures. If they were, common vulnerabilities like SQL injection and old-school path traversal would not be exploited for significant data paydirt, and the cybersecurity skills shortage wouldn’t be out of control. We already know there is too much going on in a workday, so when it comes to upskilling what incentive do developers have to schlep off to a classroom, or context-switch to go through five steps to access static theory-based training? It might be more effective for both the developer and organization to ensure a smoother, more integrated and less jarring security training experience, by making it accessible in the spaces they actually work in, like Jira, GitHub, and in the IDE. An IDE or issue tracker-integrated solution focused on bite-sized knowledge gets the right information in front of them, at the very moment it is needed. Training shouldn’t only be easily accessible, but also timely. Contextual, hands-on learning is by far the most effective way to train, with bite-sized chunks delivered right when they make the most sense. This is sometimes referred to as “Just in Time” (JiT) training, and it’s a very powerful way for developers to learn.
Make security training part of the coding process
Developers need processes that meet the demands of this new digitalised world. They need to be able to deliver on time, immediately respond to changing requirements and rapidly deploy new features in mass. Achieving this requires the right devops platform; one that simplifies the development process while improving developers’ security knowledge and quality coding skills. This integrated approach might be the catalyst to start winning over developers with less disruptive learning, and create some pathways for more in-depth courses, training up security champions, and generally inspiring that shared responsibility we need to keep the world’s data safe and sound. Furthermore, by integrating source code management, issue tracking, project planning, documentation tools and security training into one simple infrastructure with one login developers waste less time on administrative tasks.
DevOps toolchain with integrated learning material
To help organisations achieve this utopia Secure Code Warrior is partnering with Cloudogu to bring secure training directly into their tool SCM-Manager. With the Secure Code Warrior plug-in for SCM-Manager, educational videos and links to security vulnerability challenges are displayed directly in pull requests. This way developers directly get all the important information about a security vulnerability at the time they need it, including knowledge on how to prevent that vulnerability. This plug-in is free and available to use immediately. By helping businesses adopt an integrated approach to secure coding and providing their joint expertise to help companies build an effective DevSecOps team, Cloudogu and Secure Code Warrior aim to arm business with the 3 outlined fundamentals needed to quickly create leading digital products for our world.
Secure Code Warrior plugin
Download the exclusive and free Secure Code Warrior plugin for SCM-Manager via the Cloudogu platform.
To the Secure Code Warrior pluginSecure coding skills tournament
To celebrate this partnership both companies ran an International DACH Coding Tournament on September 29th 2021. During the tournament, developers got to compete against their peers in a series of vulnerable code challenges that asked them to identify a problem, locate insecure code, and fix a vulnerability. All challenges were based on the OWASP Top 10, and players could choose to compete in a range of software languages including Java EE, Java Spring, C# MVC, C# WebForms, Go, Ruby on Rails, Python Django & Flask, Scala Play, Node.JS, React, and both iOS and Android development languages. Tournaments like this are a free and engaging way to kick off your security awareness program with lots of cool prizes for the best players.