Developers tend to get thrown under the bus when it comes to application security, but recent data shows that developers do, in fact, care about security. Take mitigation for example. Developers don’t try to rig the system by rejecting findings as false positives or as mitigated by design. Developers documented mitigations for just 14.4 percent of all flaws found by CA Veracode’s platform in the past year.
Still, IT and development professionals shouldn’t wait for a major breach to occur to uplevel their security skills. Here are a few ways developers can shift their approach from reactive to proactive.
Seek Out Alternative Education Options
The education path for IT and development professionals has some serious holes, especially when it comes to security. A whopping 76 percent of IT leaders report that they weren’t required to take a single security course in college. Many technology professionals are entering the workforce without a cybersecurity education, thus requiring them to learn their most crucial skills on the job rather than in the classroom.
Across industries, online learning has emerged as one of the most valuable resources for working professionals who want to learn new skills. Online education is flexible, personalized and covers a wide array of subjects. The impact is clear: Simply by completing basic online learning courses about common vulnerabilities can help a developer improve their fix rate by an average 19.4 percent.
Many times, developers are forced to take education into their own hands. Sixty-eight percent of IT decision makers report that their organizations don’t provide adequate security training, so they must find a way to fight for educational resources. Teaming up with security colleagues to make the case to the C-suite is one way to do this. A two-pronged approach could make a difference when asking for increased training budgets.
Be Aware of Open Source and Component Risk
The industry is facing a dilemma in securing the software supply chain. As development processes become increasingly automated, a lot depends on how well development teams can piece together open source components with their own handwritten code. This practice increases efficiency and lowers technical debt, but opens new doors for hackers.
Open source components usually carry their own set of vulnerabilities and risks. In the past year, the majority (87.6 percent) of Java applications scanned by CA Veracode suffered from at least one component-based vulnerability. Many organizations either aren’t aware of these vulnerabilities or don’t even know what components make up their software products.
Beyond lack of awareness, consistency in patching is also a problem. Once a development team integrates open source components into their code, they rarely update when security patches are released. Attackers frequently jump on newly disclosed vulnerabilities to target victims that fail to update fast enough, so thorough patching is crucial.
Simply put, teams must bring a better discipline to the use of code components. Finding new ways to monitor, track and manage open source components in code is one of the most impactful activities developers can participate in to ensure secure software.
Leverage Security Teams as Consultants
As DevOps practices spread and more organizations require developers to do their own security testing, the role of the security team is evolving. Security professionals are becoming more like consultants that can uplevel developers’ skills with advice on best practices, strategic planning and individual coaching. This is where the idea of DevSecOps comes into play.
To bridge the gap between development and security teams, attitudes need to adjust on both sides. Security teams must begin approaching developers with an attitude of enablement and developers must be willing to team up with colleagues that have a hacker mindset and expertise in understanding threats to the organization.
Developers who see security experts as a resource rather than an opponent can make significant improvements to the security of their software application portfolios. Developers who paired their vulnerability findings with remediation coaching from security experts saw an 87.6 percent better fix rate than those who received no coaching.
When it comes down to it, both security and development teams should try to be more proactive. If both sides commit to breaking down silos and learning from each other, they will find that DevSecOps is the best way to ship software both quickly and securely.