As companies migrate to more resilient cloud infrastructures, threat actors continue to turn their attention to the application landscape as an entry point for compromising systems. With no less than 76% of applications plagued by at least one security flaw, securing software must be a priority. Unfortunately, a startling lack of training and education opportunities has left many developers ill-prepared to write secure code and build systems that are secure by design — right at the time when we need them most.
Despite finding ourselves at this crunch point, the cybersecurity skills gap remains huge. This is compounded by a consistent lack of workplace training to teach employees secure coding principles and how they affect the software development life cycle.
Meanwhile, threat actors are becoming more capable, and recent high-profile attacks on the likes of SolarWinds and the Colonial Pipeline have prompted US President Joe Biden to issue a sweeping cybersecurity executive order that puts significant emphasis on software security.
Among the many factors that play into the lack of secure coding education in the secondary curriculum, the most glaring is that some faculty simply don't know enough about the security field, leading to gaps between academia and industry. Moreover, the gap has grown due to constant changes and evolving tool chains in software development. Academia struggles to keep up, and students miss out on opportunities to learn a critical and in-demand skill.
Of the college courses that do cover cybersecurity, many are focused on protecting against issues caused by poor software security practices as opposed to teaching how an attacker can manipulate and control a system as a result of insecure code.
Developers need to understand the basics of how an application can be at risk from attack vectors such as SQL injection or command injection. These are specific concepts that aren't being taught enough in school, so training modules around secure coding and application security principles must become a requisite of any computer science curriculum.
On-the-Job Training Must Be Meaningful
As most coders enter the workforce without foundational secure coding knowledge, it's increasingly important that developers have access to effective educational opportunities in the workplace to keep up with changes in vulnerabilities and coding best practices.
The good news is more than half of organizations in North America provide developers with some level of security training, but just 29% require training more than once a year. While many organizations offer their employees initial security training or self-taught modules, ad hoc, infrequent training doesn't empower developers to put what they've learned into practice. On top of that, modern training exercises are often generic, boring, and far removed from actual flaw identification and remediation, making it difficult to retain and execute the training in the real world.
In day-to-day life, a developer writes a bunch of code, and then a week or a month later, a security issue pops up. Half the time, another developer remediates the flaw so the person who wrote it never gets the opportunity to fix it. That means the original developer never applies what they learned and thus quickly forgets the lesson.
Developers are always trying to learn new coding techniques — it's in their DNA. So, lack of interest isn't the problem. It's the lack of interesting training options. The trick is to make it meaningful — both engaging and applicable. Create hands-on learning opportunities that allow coders to exploit and patch real code, get real-time feedback, and then apply those AppSec principles to the code they write. This immediate feedback loop helps coders learn and practice application security in real-world scenarios that mirror their workflow.
Management Dilemma: Risk vs. Reward
The other big challenge to ongoing security education is altogether different and, perhaps, even harder to solve. With constant pressure to produce more code faster, development teams can't afford to lose coders to training for hours or days at a time on a frequent basis. It cuts into production — a measurable cost that's hard to defend to the business. On the other hand, what's at stake is potentially far more costly.
Management must weigh the risk of lost production against the benefit of security-minded developers. With the cost of a data breach now $424 million, arming developers with the knowledge to prevent and fix software flaws is worth a few hours of "rerouted" productivity. Helping management prioritize developer education is a tall order, but one the industry must figure out.
Make Developers the Hero
Cyberattacks occur every 39 seconds, and if recent examples of cyberattacks and ransomware incidents are any indication, things are only going to get more serious. It is time to prioritize secure coding training for both up-and-coming and existing developers to give them the knowledge they need to build secure software from the start. The next generation of developers doesn't yet know what's in store for them, but they may just be the heroes we need to shift the tide in our favor.