Security-aware developers are the best first line of defense an organization can have when it comes to software security. They ensure that the code being used in applications is secure from the get-go. They can save countless hours otherwise spent on technical debt, fixing flaws found in code during testing or after release, not to mention the potential costs of lost business, regulatory fines and reputational damage that can result from a breach.
However, the problem for many organizations is that their developers aren’t equipped to ensure the security of the software they are generating. Too few organizations have invested in upskilling developers in secure coding practices, which is a different skill set than required for generating code or building applications. Without the right upskilling program, organizations will continue languishing in the risky world of insecure software.
That is starting to change, as the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has launched a global Secure-by-Design campaign that is being echoed in other countries, such as Australia. The goal is to shift the burden of responsibility away from consumers and small businesses on the receiving end of software and place the onus for security on those who produce it. Australia’s Secure-by-Design legislation, for example, pushed for a whole-of-organization approach to security, emphasizing that secure software is a business goal, as well as a security and compliance requirement.
Rather than viewing Secure-by-Design as an additional burden that gets in the way of business, vendors should see this as an opportunity to nail down their security programs, adopting a new standard of secure software excellence, with security-aware developers as a pivotal ingredient.
Companies that need to respond by upskilling their developers should take a three-tiered approach that includes implementing a measured program to deliver education and competency, providing right-fit tools that suit the organization’s tech stack, and overhauling the processes that have led to cut corners and insecure coding patterns running rampant.
Provide Meaningful Training (and Measure Progress)
The organizational benefits of secure coding, including greater security and productivity, are apparent. Still, developers also have incentives to acquire security skills, including higher salaries, the opportunity to work on more prestigious projects and greater job satisfaction with less rework.
But developing software and doing so securely has been, to date, two different things. Software security is an area where colleges and universities have notably fallen short. CISA recently called universities on the carpet for overlooking secure software, saying the schools were “producing a software developer workforce that enables increasingly damaging cyberattacks.” Of the country’s top 24 computer science universities, only one requires cybersecurity in its curriculum, CISA said. For the other 23, it is an elective.
While higher education institutions may get on board with secure coding as part of CISA’s Secure-by-Design campaign, the upshot for companies right now is that developers must learn on the job.
Enterprises should upskill developers, measure their progress, prove that they’ve acquired the necessary skills and reward them as part of a holistic approach to reducing risk. There are three tiers to the upskilling process:
- Education: Upskilling developers require an agile, interactive learning program that provides the training they need and fits their schedules and work environments. A program should be available in multiple formats, involve hands-on training on the types of real-world instances they are likely to encounter and include benchmarks to measure progress.
- Right-fit Tools: The training should fit the environment developers work in. For example, they should involve the programming languages that developers use and the tools relevant to their jobs.
- Overhauling Processes: Secure code must become a part of a company’s culture, a business priority as much as a security priority. Organizations can ensure that secure software is ingrained in the environment by producing secure code at the beginning of the software development lifecycle (SDLC) and continuing to test and remediate flaws throughout the lifecycle.
Providing the training is one thing, but organizations must be sure that it sticks, that is, developers have absorbed the training and know how to apply it. Organizations can use an automated, data-driven assessment of the development team’s secure coding skills as part of the benchmarking process.
A trust score measures individual progress while aggregating overall progress to assess the AppSec team, identifying top performers, average achievers and those who need more help. Combined with benchmarking metrics, organizations can evaluate the effectiveness of upskilling programs both within the organization and compared with industry benchmarks and best practices. It highlights areas to optimize in the process of creating a high-performing and secure development team.
To further add context and gain complete visibility into how upskilling is reducing risk to the enterprise, organizations can make use of a trust agent, which ties AppSec training to specific developer code commits. An agent will provide information on who made commits, the language they worked in and their security knowledge and skills. That information is presented in dashboards, offering insight into how well development teams’ security competencies and code commits are aligned across the organization.
A trust agent can also incentivize skill development and gatekeep sensitive repositories and prestigious projects until skills verification and benchmarks are met.
Security From the Start With a Data-Driven Approach
In today’s fast-moving AppSec environment, creating secure code at the beginning of the SDLC is no longer something nice to have; it is essential. Developers are producing more code than ever before, and vulnerabilities can appear in live code faster than security teams can identify and remediate them.
Organizations need their developers, working with security teams, to ensure code is secure at the beginning of the development process, whether they are writing the code themselves, using code generated by AI assistants, or applying open-source snippets acquired from a repository.
But they need good training to do that, and companies must ensure that developers are applying what they have learned. A comprehensive, agile upskilling program, backed by data-driven benchmarks to prove that training is getting accurate and impactful results, is the key to lowering organizational risk. It incentivizes developers to gain the secure coding skills they need while setting a new standard of secure practices and compliance for the organization.