Each application we use is a potential target. Hackers will always try to find security vulnerabilities within our products, and if they find a way in, they can spread malware, take control of your systems and steal your confidential and valuable data. With your organization and customer loyalty at risk, it’s vital you take all the steps you can to secure your systems.
Fifty-two percent of respondents in a recent survey on root causes of security breaches answered that human error is the leading contributor to intrusions. Additionally, a 2014 Denim Group surveyreported sordid numbers when testing developers on their application security knowledge. Educating the people that create the software you use and sell is one of the biggest hurdles to reduce those numbers and putting the time and resources into doing so will serve you well in the future. Teaching secure coding practices and educating developers about potential vulnerabilities can help you ensure the longevity of both your software and your application security program.
Why Training Developers in Secure Coding Practices is Essential
Developers continue making the same mistakes over and over again. SQL injections, for example, have been prevalent in applications for the past 15 plus years ‒ and they still manage to evade developers and code testers. Without teaching developers the secure coding practices that would both give them the security education developers need and more responsibility for the code they write, we’re opening ourselves up to risk.
Programmers should be held accountable for their code, but they can’t do that if they don’t know what to look out for. Developers are taught to look at code one way, while security professionals and hackers will look at it in a different way, unintended by the programmer. There’s a major gap between development and security, and training developers on the secure coding practices and techniques is the first step in reducing the gap.
Training developers will go a long way in preventing security issues ‒ and preventing software vulnerabilities pays off. The benefits of fixing code earlier in the software development lifecycle (SDLC) ‒ a byproduct of both a strong security education program and finely tuned testing tools ‒ are well recorded. Estimated “costs to fix” later in the SDLC are between 6 and 1,000 times more expensive than fixing security bugs in the coding stage, making it easier to convince management or development team leads of the value in giving developers extra training when it comes to application security.
So how can you translate all of this into actually getting developers the training and education they need to secure the code they work so hard on? Here are five tips to help get you started.
Get management on your side
Most security programs won’t stick around if they aren’t supported by management. The quest for building a secure organization has to be adopted at every level within the organization ‒ starting with getting management on board. A 2012 SANS Institute surveyfound that the biggest barriers to implementing application security training and AppSec programs were a “lack of management funding and buy-in” and a “lack of application security skills.” So, in order to move forward with secure coding training, management support is absolutely essential.
In Robb Reck’s talk on his success in building an application security program at this year’s RSA Conference, he began by finding support at the highest levels he could. By enlisting each department’s support towards the unified goal of producing secure applications and increasing visibility into potential risks, especially at the top of the pyramid, you’re helping to shift the corporate culture to one more engaged in security.
When developers understand that ensuring code is secure before deployment is more important than a lightning-fast release, you’ll be setup for better success in your training programs.
Train developers in fun, engaging ways
Most developers don’t see security as part of their job. Why should they? Secure coding isn’t taught in computer science programs, and it’s not written into their job descriptions. To top it off, most of the time developers will see the security team as a roadblock to an applications quick release and success. A key tip in getting developers to learn secure coding practices is to teach them in ways they’ll enjoy ‒ and help coax them out of the poisonous thinking that makes our applications vulnerable.
Gamification has become the latest buzzword in the security industry and for good reason. Activities like internal bug bounty programs and capture-the-flag challenges have majorly assisted in increasing security awareness among developers. Offering incentives like free beer, pizza or even candy, as Etsy’s security lead Rich Smith found, can have a deep impact on getting developers on your side.
Learn how the development team works and how security can be better integrated into their workflow and culture
A recent North Carolina State University study found that even developers working on security-related products were not more likely to use secure coding practices and tools on their code. Even security products can be released chock-full of security vulnerabilities when we don’t work to train developers in secure programming.
One vital part of embedding security into the development culture is to learn how the development team in your organization works and use that to determine how and which secure coding practices can be better implemented. Catering security education and awareness to the developer’s workflow and their culture is an important part of any successful application security program.
Pinpoint security evangelists or “champions” among your developers and give them more security responsibilities
Not all developers will play the same role in your organization’s security process. Each stakeholder has a different role to play. So, when teaching secure coding practices, you should be able to determine which members of the development team have stronger security skills and are more engaged with the training. These are the people who can help you build the foundation of how secure coding practices are embedded into your development teams.
Get your security champions involved in threat modeling and the design phase and ask for their input on how the AppSec program is being implemented. By getting the development team leads to reward employees for secure coding ‒ possibly through gamification, as discussed earlier ‒ you’re helping to set the standards for how security will be treated in your organization going forward. And, as Robb Reck pointed out, they help keep the program running smoothly at times when the security team is focused on something else.
Keep developers up to date on the latest security news
A final way to getting developers to code more securely is to keep them updated on the latest security events. As discussed earlier, developers aren’t traditionally taught to look at code through a hacker’s eyes. Thus, holding discussions around the latest breaches along with their root causes and sharing news of zero-day bugs and major vulnerabilities can go a long way in reshaping their view of how they approach security.
In addition to discussing industry news with your developers, sharing results from security analyses conducted on your own code is an important part of getting developers to learn from their own mistakes. They can’t change their ways if they don’t know anything is wrong, so sharing your testing results and offering ways to improve is a major part of secure development training.
About the Author
Sarah Vonnegut is a content specialist and community manager at Checkmarx, an application security company offering static code analysis tools. In honor of National Cyber Security Awareness Month, Checkmarx developed SecureDevKit.com, dedicated to helping organizations promote security awareness with free resources, tips and challenges!