Developer-driven security programs place the development team at the center of reducing vulnerabilities.

Matias Madou, Co-Founder & CTO, Secure Code Warrior

February 27, 2024

4 Min Read
Magnifying glass looking at software code
Source: ronstik via Alamy Stock Photo

COMMENTARY

Although cybersecurity has always been a critical area for organizations that write their own software, we're rapidly approaching a near-perfect storm of various forces that are elevating the risk profile of those organizations to unprecedented levels. Organizations that don't respond by implementing secure-by-design programming tactics for everything they create risk being swept away by the new ocean of threats and perils. 

We all know that the threat landscape has steadily gotten worse, with everything from organized criminals to groups supported by nation-states now competing with solo and professional attackers.

Few organizations can react successfully every time an advanced threat attacks them, much less pay millions in cleanup costs. But the situation is even more critical, as the shortage of skilled cybersecurity personnel is more acute than ever. A Korn Ferry study estimates there will be 85 million unfilled jobs around the world by 2030. And because technical fields that require advanced skill sets — like cybersecurity — will be some of the most affected, companies won't be able to simply hire new candidates to improve their security posture.

Finally, the legislative environment is starting to change in potentially unfavorable ways to those who write code. Driven by deep wariness among consumers who are tired of having their information stolen because of poor security practices, the Cybersecurity and Infrastructure Security Agency (CISA) recently released its 2023–2025 strategic plan. The CISA plan calls for technology to be designed to minimize the number of vulnerabilities before it is introduced to the public. While recommendations in the plan are simply suggestions right now, there is a very real chance that some elements of it will be codified into law.

Meeting the Challenge of a Perfect Security Storm

Though various factors make the situation more complex than ever, companies that create their own software are in a unique position to meet the new challenge by tapping into an incredible resource they already have: their developers. By empowering, upskilling, and reskilling their developers, organizations can help to improve their security posture, write more secure code with fewer vulnerabilities, and comply with government mandates before they become non-negotiable. 

Here are four ways that progressive, smart organizations are already achieving that critical goal.

Identifying Actual Success Criteria

Training without well-defined goals is only minimally effective in improving skills. When implementing a good cybersecurity training program, it should be laser-focused on predetermined business drivers and goals. For example, in our experience, the three most common business drivers include compliance, risk mitigation, and productivity. The desired post-training goals must be well identified to further define a good training program.

Identifying Security Champions

A security champion is not necessarily the best programmer, although having those skills can help. The best security champions are those in the development team with an active interest in security and a desire to help others get up to speed on the latest best practices and techniques.

The most successful organizations spend time identifying their champion(s) — meanwhile, programs without champions run the risk of never achieving those defined long-term business goals.

Rolling Out Incentives

The truth is, training programs and upskilling will represent, at least initially, an increased workload for already extremely busy developers. This can be especially true for those security champions who are helping to anchor the program. As such, providing incentives and rewards shows how valuable developers’ contributions are to the company — and how much they are appreciated.

There are different kinds of incentives. Yes, budgets are always tight, but given that a single breach or a successful data breach can cost more than $4 million, investing a fraction of that in the people who are working to help avoid that fate is a smart decision. We have also found that many developers respond even better to things like being granted privileged access to better projects, new job titles, and more freedom to operate with fewer guardrails as their skills improve.

Measuring Success

Even with a well-planned program, there may be unexpected pitfalls or areas that need to be tweaked. Initially, the best measurement of success is developer participation. Assuming the entire program was not made mandatory (something we discourage — developers should want to take training and be given incentives to participate), then participation levels will be a significant factor to measure.

Beyond that, you should be able to measure how successful you are at meeting those clearly defined business goals. For example, if scans reveal fewer vulnerabilities in code written after training, and your goal is risk reduction, then the training program meets your core business goals.

Several factors are working against companies that make software these days that can almost make it seem impossible to weather such a perfect storm. However, those who look to their developer communities and empower them with highly targeted training programs can rise above the storm, thriving where others may flounder. 

About the Author(s)

Matias Madou

Co-Founder & CTO, Secure Code Warrior

Matias Madou is a researcher and developer with more than 15 years of hands-on software security experience. He has developed solutions for companies such as Fortify Software and his own company, Sensei Security. Over his career, Matias has led multiple application security research projects which have led to commercial products and boasts over 10 patents under his belt. When he is away from his desk, Matias has served as an instructor for advanced application security training courses and regularly speaks at global conferences, including RSA Conference, Black Hat, DEF CON, BSIMM, OWASP AppSec, and BruCon.

Matias holds a Ph.D. in Computer Engineering from Ghent University, where he studied application security through program obfuscation to hide the inner workings of an application.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights