Posted on March 22, 2021 at 9:20 AM
Today, software developers are under intense pressure to deliver more code, more quickly than they’ve ever had to in the past. According to a 2020 Dimensional Research report, over 50% of developers say that the volume of code they have to work with is 100x what it was 10 years ago. Over 90% of them admitted they are under pressure to release code faster than before.
With speed of execution and delivering on the roadmap being emphasized so much, application security often takes a back seat to development speed and the conventional definition of software quality. What are the potential results? IBM’s “Cost of a Data Breach Report – 2020” offers some data. The report states that globally, the average cost of a data breach was USD3.86M. In the United States, that number was more than double, at $8.64M. While there are multiple reasons for these breaches, According to Forrester, application weaknesses and software vulnerabilities continue to be the most common external attack method. It’s clear that application security is a challenge for companies.
While time is clearly a challenge that software developers contend with, the report shares that 74% of developers reported that their teams avoid updating code due to the fear of breaking dependencies. This means that not only is vulnerable code being written and deployed, it’s not being fixed. This underscores the importance of writing secure code right from the beginning. Given the increasing demand on developers to ship more code, more quickly, is there a practical solution to the challenge of software security?
To answer this question, we need to examine the root cause of the problem first, and we start with the question, “Why are developers continuing to write code that’s insecure?” Let’s examine some data to find out.
HackEDU’s 2021 Vulnerability Benchmark Report states that injection vulnerabilities have been either #1 or #2 on the OWASP Top 10 for vulnerabilities for 14 years, and that the reason why they’ve been there so long is because they are fixed incorrectly. This is a widely known vulnerability, and one that’s not difficult to fix, once you know how. This behooves the question, “If they’re not difficult to fix, why are developers still not fixing them, or writing code that isn’t vulnerable to these exploits?”. Forrester reports that none of the top 40 coding programs in the United States require a secure coding or secure application design class. The “Application Security in the DevOps Environment” report from the Ponemon Institute reports that 53% of surveyed developers don’t get training on secure coding practices.
The evidence points towards secure coding training as a potential first step towards a more secure and robust software development lifecycle. But how does one get this kind of training? If you do a web search for the topic of “secure coding training”, you’ll find a dizzying array of options to choose from, varying in methodology, delivery method and price. Secure coding training companies offer videos, Powerpoint slides, in-person training, and web-based training. How do you decide which offering is best, and what are some of the things you should consider when evaluating secure coding training options? While you may have your own organization-specific questions, the following list is a great place to start:
- Does the company offer hands-on training? Learning by doing is always more powerful than merely reading or watching videos
- Is the content delivered in bite-sized increments that can be easily digested and recalled, or all at once? Bite-sized lessons encourage developers to actually take the training, since they won’t have to spend too much time on each module, and allows them to practice what they’ve learned
- Is the training offensive and defensive, or does it only focus on defence? Offensive training, paired with defensive training, has been proven to be superior at helping developers to detect and fix vulnerabilities. A University of Mannheim study states that “The results… advantage of the offensive group over the defensive group that is significant” and “it leads to a better understanding of information security and that it is more motivating”
- How good are the administrative tools? Do they allow administrators to set up teams, deploy, oversee and measure the students’ progress easily, and make modifications to the lesson plans with ease?
- Are the training modules relevant and fit into the developers’ development workflow? Do they integrate with existing tools such as SAST/DAST tools, SCA tools, bug bounty programs, issue trackers and code repositories?
- Are there gamification components to the secure coding training? This helps to increase motivation, and helps with understanding
The idea of secure coding training isn’t new, but is often overlooked because it has traditionally been a burden to both the developers who take it, and the administrators who have to manage it. With the right secure coding training, those barriers are no more, and companies can benefit from having an empowered team of developers who will write more secure applications.