You are here

Devs are the key to app sec: Make training a priority

Erdem Menges, Evangelist, Micro Focus Fortify

In a digital world where we're constantly bombarded by distractions, quality time spent focused on the task at hand is hard to come by. Errors are a common part of life, especially if you're distracted or lack some of the key skills for delivering a task.

Add the business pressure for more capable applications and quicker go-to-market to that mix, and it's easy to understand why modern applications contain more functional errors and security defects than their predecessors.

Developers don't want to develop bad code, but they're pushed to their absolute limits because of time constraints and lack of training, in many cases. While commonly overlooked, security training is a key component for success in application development.

Developers are both artists and engineers, and most organizations' success relies heavily on the quality of their work. Without a doubt, creating applications that run the business is no easy feat. Although developers are algorithmic geniuses, few are interested in cybersecurity—and even fewer receive the training they need to create secure applications.

Training developers about security helps widen their perspective, creates new growth opportunities, and has a single immediate benefit for organizations: Code is delivered with fewer security defects.

Here's how training contributes to organizations' success, and the most effective ways to deliver secure-code training.

Gartner Magic Quadrant for Application Security Testing 2019

1. Lowers time to market

Having fewer security defects in the code will significantly shorten the cycles for security testing and remediation. Releases will be delivered in shorter and predictable time frames, allowing more flexibility for innovation and delivering more business value with the same resources.

[ Special Coverage: RSA Conference 2019 ]

2. Reduces overall dev/testing effort and cost

Reduced testing and remediation cycles mean that less effort will be needed for fixing the defects and following up. In an era where developers and security experts are highly sought after and most positions go unfilled for months, organizations can benefit from optimizing the use of the existing workforce.

[ Get Report: How to Get the Most From Your Application Security Testing Budget ]

3. Lowers the risk

Having applications with fewer security defects than before effectively lowers the organizational risk, because it makes the organization more resistant to attacks. The benefit here is staggering if you consider DHS's stats on the risk related to software: Some 90% of reported security incidents result from exploits against defects in the design or code of software, as estimated by the Software Engineering Institute.

Although having software with fewer to no security defects is no silver bullet for cybersecurity, it is one of the most effective ways to lower organizational risk.

4. Reduces attrition rate for developers, testers, SMEs

With the challenges around the shortage of experts in software development and security, finding good candidates for open positions, and getting new hires onboard, keeping top talent is becoming more critical for success.

Having software with fewer defects (security-related or not) helps organizations reduce attrition by removing repetitive tasks, lowering remediation cycles, and reducing follow up efforts. As a result, you get developers, testers, and security experts who are more productive and happier. Further, these pros are not exposed to friction among business units, which is common during traditional security defect identification and remediation cycles.

There are multiple steps organizations can take to have code with fewer/no security defects. These steps include having an application security program, identifying security champions within development, and identifying the tools for testing and securing code throughout the software lifecycle.

Prioritizing security training (especially for developers) helps to get all stakeholders for application security on the same page, while improving productivity and increasing intra-team communication. Developers are builders at heart and they learn best by doing (rather than being shown or told). Delivering security training is no different.

Here are the most effective ways to deliver secure code training.

Traditional courses

Traditional courses, whether delivered in person or virtually, offer a good way to set a common baseline for all developers in the organization. These trainings explain the "why" (Why should we care about application security?), and provide guidance on the most important security concepts and common types of security defects.

Developers who receive traditional trainings will also know when to reach out to their security subject matter experts (SMEs). Including the contact information of the security SMEs in these trainings has great value, since it's important for developers to know how they can get additional help when they need it.

Gamified training

Gamified training options offer a fun, flexible alternative for developers to understand the technical details about security defects and corresponding attacks. Video game-like flows and incentivized tournaments within organizations help drive developers' attention and engagement.

Gamified training delivers specific use cases and games for security defects in the developer's preferred programming language, and can help accelerate security ownership within developers.

Share static, instrumented, or dynamic testing results

There's no news more shocking (and insulting at times) to give a developer than the security defects in their own beloved code. Developers who are presented with the security defects and possible consequences of their code go through multiple stages of denial before accepting the risk and taking action to fix the defect.

Denial can include technically challenging the finding, stressing that this is a false positive within the context, and suggesting that the defect is highly unlikely to be exploited.

Sharing test results, and having a discussion on the defects, is very powerful. The example is no longer generic or abstract for the individuals. They observe firsthand that the code that they wrote—while it does what it should do in stellar fashion with the lowest performance impact—can result in a catastrophe for their organization.

After the denial stages, they understand that there's no getting away from this defect and that the easiest way out is to fix it. This is when they also figure out that the best way to avoid being a similar situation in the future is not to create these defects in the first place.

Secure your development training initiative plans

Traditional courses, gamified training, and shared test results all deliver different skills and knowledge for developers and all complement an end-to-end secure development training initiative. Whether you're working with seasoned developers or fresh grads out of college, now is the best time to work on an initiative for secure development training and give developers the tools they need to become the key drivers for application security.

Through prioritizing security training, you can enjoy immediate improvements—fewer defects in the current projects and a morale boost following the training—in addition to creating common ground for your application security program. 

[ Webinar: How to Fit Security Into Your Software Lifecycle With Automation and Integration ]