You are here

How to fix your IT security skills gap: 3 self-learning methods for developers

public://pictures/maria.jpg
Maria Loughlin, VP of Engineering, Veracode

The higher education curricula available for IT and development professionals have significant gaps. Even the most educated in the community, including those with bachelor's and master’s degrees, are learning basic security skills on the job, rather than in the classroom.

Technology professionals are entering the workforce without a cybersecurity education—and with 2 million security jobs in need of filling by 2019, that’s a serious problem. With hacks and breaches so commonplace, cybersecurity education shouldn't be an afterthought. 

Fortunately, those who need to get up to speed, there are alternatives.

[ Take a deep-dive into app sec with our Application Security Trends and Tools Guide, which includes our 2019 App Sec Buyer's Guide. ]

Developer security skills lacking

Most university computer science courses don’t provide sufficient instruction on how to reduce security flaws in code, an important part of the developer’s role in the new DevSecOps ecosystem. A recent DevSecOps Global Skills Survey (registration required) on security education found that, while nearly 80% of respondents hold either a bachelor's or master’s degree, 70% said their security education did not meet their current position’s requirements.

Universities and colleges across the country should integrate more security training into their computer science curriculum, but that is a long-term process. With cyberattacks happening at an increasing rate and hackers becoming more bold, it’s clear the industry urgently needs a short-term solution. So in the short term, it is up to the organizations themselves to upskill their developer teams in the art of security.

The recent wave of companies shifting to DevOps practices presents an opportunity for business leaders to work security into the mix by implementing DevSecOps. Traditionally, developers were responsible for the functionality of the code they wrote. This was reinforced by the previous divide among the development, operations, and security teams.

The shift to DevSecOps means developers need to take a more active role in assuring both the quality and security of their code. This is creating new opportunities and new challenges for developers.

To avoid being part of a global cyberattack, organizations need to integrate secure development into their DNA from the start. Here are a few strategies business leaders can implement to educate their teams and create a security-first culture.

1. Bring in security experts for in-person training

A third of respondents in the survey identified third-party training as their preferred way to learn new skills. Unfortunately, just 4% of those surveyed had access to external training resources. Hiring a third-party expert to lead an in-person training session can be costly, so many organizations choose simpler, more cost-effective methods, such as remote video training or online courses.

For core skills such as secure coding and penetration testing, it is important that leadership set a skill standard for each team. This means mandatory training at every level and similar training for new hires. Setting annual goals for a corporate education program will ensure ROI.

[ Learn how value stream mapping can benefit your organization in this Webinar. Plus: Learn more with this GigaOm Research Byte on VSM. ]

2. Integrate security scanning into your DevOps process

The best way to make sure that developers are creating secure code throughout the entire development lifecycle is to provide them with constant feedback. When mistakes are caught as soon as they occur and edits made in real time, productivity increases for the whole team.

Integrating static scanning into the DevOps process helps developers remediate vulnerable code as they go, rather than having to go back and fix vulnerabilities when the process is complete. This is especially important as the software development lifecycle continues to accelerate, meaning developers are expected to ship applications with increasing frequency. Automated static scanning ensures that security is not an afterthought in this rapid-fire process.

3. Create security heroes

Not every developer needs to be a security expert. However, every successful team needs someone with security knowledge and an understanding of how developers work. Training just a few developers on the fundamentals of secure coding creates security heroes who bring security awareness into the daily scrums for their entire team.

The team members can turn to their security hero for everyday secure design and coding advice. These advocates guarantee that their scrum prioritizes security in the software development lifecycle and calls in additional support for more challenging security issues. Security heroes ensure that no vulnerability goes unpatched as a result of lack of security awareness. They also help developers receive informal security training from peers who speak their language.

Education key to developing a security culture

As more organizations adopt DevOps and DevSecOps practices, traditional phase-gate security processes will become a thing of the past. Coping with this shift in development style starts with education.

Implementing self-learning methods is the first step toward creating a culture of security that permeates an entire organization, and will bolster your organization’s defense against hackers.

[ Learn how release orchestration can govern compliance, control, and integration for successful DevOps transformations in this Webinar. ]