As businesses migrate to more resilient cloud infrastructures, threat actors continue to focus on the application landscape as the entry point for compromised systems. With as many as 76% of applications experiencing at least one security breach, securing software must be a priority. Unfortunately, a glaring lack of training and education opportunities has left many developers ill-prepared to write secure code and build systems that are secure by design, just when we need them most.
Although we are at this critical point, the cybersecurity skills gap remains huge. This is compounded by a constant lack of on-the-job training to teach employees the principles of secure coding and how they affect the software development lifecycle.
Meanwhile, threat actors are becoming more capable, and recent high-profile attacks on SolarWinds and the Colonial Pipeline have prompted U.S. President Joe Biden to release a massive cybersecurity decree which emphasizes software security.
Of the many factors that contribute to the lack of teaching of secure coding in the high school curriculum, the most glaring is that some teachers simply do not know enough about the area of security, which creates gaps between universities and industry. Moreover, the gap has widened due to constant changes and evolving tool chains in software development. Academia is struggling to keep pace, and students are missing out on opportunities to acquire critical and sought-after competence.
Of the academic courses that cover cybersecurity, many focus on protecting against issues caused by poor software security practices rather than teaching how an attacker can manipulate and control a system due to code. Insecure.
Developers should understand the basics of how an application can be threatened by attack vectors such as SQL injection or command injection. These are specific concepts that are not taught enough in school, so training modules around secure coding and application security principles should become a prerequisite for any computer science degree program.
On-the-job training must be meaningful
As most coders enter the workforce without fundamental knowledge of secure coding, it is increasingly important that developers have access to effective educational opportunities in the workplace to keep up with evolving vulnerabilities and coding best practices.
The good news is more than half of organizations in North America provide developers with some level of security training, but only 29% require training more than once a year. While many organizations provide initial security training or self-study modules for their employees, ad hoc and infrequent training does not allow developers to put what they have learned into practice. On top of that, modern training drills are often generic, boring, and a long way from identifying and correcting actual faults, making it difficult to maintain and perform training in the real world.
In everyday life, a developer writes a bunch of code, and then a week or a month later, a security problem appears. Half the time, another developer fixes the flaw so that the person who wrote it never has a chance to fix it. This means that the original developer never applies what they have learned and therefore quickly forgets the lesson.
Developers are always trying to learn new coding techniques – it’s in their DNA. So lack of interest is not the problem. It is the lack of interesting training options. The trick is to make it meaningful – both engaging and applicable. Create hands-on learning opportunities that allow coders to leverage and debug real code, get real-time feedback, and then apply those AppSec principles to the code they write. This immediate feedback loop helps coders learn and practice application security in real-world scenarios that mirror their workflow.
Management dilemma: risk versus reward
The other big challenge in lifelong safety education is quite different and, perhaps, even more difficult to solve. With the constant pressure to produce more code faster, development teams can’t afford to lose coders by frequently training for hours or days. This reduces production – a measurable cost that is difficult for the company to defend. On the other hand, the stake is potentially much more expensive.
Management must weigh the risk of lost production against the benefits of security-conscious developers. With the cost of a data breach now $ 424 million, arming developers with the knowledge necessary to prevent and correct software flaws is worth a few hours of “rerouted” productivity. Helping management prioritize developer training is a big challenge, but the industry needs to understand it.
Make the developers the hero
Cyber attacks happen every 39 seconds, and if recent examples of cyber attacks and ransomware incidents are any indication, things will only get worse. It’s time to prioritize secure coding training for emerging and existing developers to give them the knowledge they need to build secure software from the start. The next generation of developers don’t know what to expect yet, but these might just be the heroes we need to turn the tide in our favor.