Why organizations should adopt an integrated and continuous approach to application security education

By Amy Baker, Security Education Evangelist, Security Journey

The software supply chain is under increasing threat. With nearly half of organizations predicted to experience at least one software supply chain attack by 2025, developers and AppSec teams are becoming an increasingly popular target for cybercriminals who can wreak havoc. Especially when they exploit well-known and easily fixed vulnerabilities. For instance, the now infamous ‘Log4Shell’ vulnerability left some of the world’s most commonly used applications and services open to attack and will reportedly ’haunt the internet for years’. More recently, the OpenSSL vulnerability caused chaos when it threatened to be a serious security bug, despite also being one of the most common coding issues and easy to fix (a buffer overrun).

These vulnerabilities affect businesses and consumers alike, as made evident by recent Apple weaknesses that allowed hackers to take complete control of users’ devices. It’s time to prioritize security, but doing so will take dedication to secure coding training.

Insecure software is still rewarded

One reason the software supply chain remains vulnerable to security threats is that it effectively continues to reward insecure software. In his opening keynote of Black Hat 2022, Chris Krebs stated that security would only continue to get worse before it gets better because the benefits of insecure software far outweigh the negatives. In other words, within the software development lifecycle (SDLC), organizations prioritize being the first to market. This goal is often at odds with security, which is portrayed as a barrier to productivity; 71% of CISOs claim their DevOps stakeholders view security as an impediment to fast development. This results in sacrificing security in the name of speed to market, the negatives of which are often not fully recognized until it’s too late.

The AppSec Dilemma

This pressure to quickly create and bring products to market places immense expectations on those developing the software. And this is only increasing. 51% of developers deal with 100x more code than ten years ago. And almost all developers (92%) feel they must write code faster than before.

The ownership of application security becomes an issue with an overstretched team, often viewed as someone else’s responsibility – be that AppSec, security, or IT professionals. Yet application security lives in a variety of places across an enterprise. Therefore, the executive team or board must buy into the value of secure coding training. Leaders must recognize that a security-first mindset is crucial for everyone within the SDLC. Product and project managers, DevOps, User Experience (UX) Designers, and Quality Assurance (QA) professionals influence the end result in software development and, therefore, will need to play a part in security. Sharing this responsibility is the first step in ensuring that secure coding is not forgotten.

Moreover, innovation and security do not have to be mutually exclusive, and treating them this way is likely why the number of new vulnerabilities continues to increase. Although almost always accidental, these security flaws and lack of proper secure coding education can turn developers into non-malicious insider threats. This insecure code can also be extremely costly; according to Boehm’s law, “the cost of finding and fixing a defect grows exponentially with time.” Investing in proactive prevention rather than reactive mitigation is, therefore, the most efficient solution for organizations in terms of security and an enterprise’s bottom line.

Continuous and programmatic education

Shockingly, 53% of developers have no professional, secure coding training, and none of the top 50 U.S. undergraduate computer science programs require a code or application security course. With workforces worldwide struggling to fill the cybersecurity skills gap, it is vital that organizations look to an integrated and continuous approach to application security education across the entire SDLC. This must be:

  • Specialized

For those involved in delivering code, it is essential that training speaks directly to the issues they face daily. Advanced, developer-specific education should be run in parallel with foundational application security training programs for those with roles in the SDLC that may not necessarily need hands-on expertise. These initiatives will empower the whole team to make more informed decisions around activities like threat modeling, application design, and what’s in the software supply chain to integrate security across every aspect of development.

  • Continuous

Secure coding training must be a continuous and evolving journey. It should never be a check-box, one-and-done exercise. In order to keep security front of mind, constantly building on knowledge and being aware of the ever-changing issues in the market is crucial.

Organizations should offer incentives or rewards to those who consistently apply security best practices in their day-to-day work. Security champions engage others and organically influence change. By measuring results – like the number of vulnerabilities in code before and after training programs – and recognizing success, it is also far easier to get buy-in from stakeholders and justify the investment in secure coding education to the decision-makers.

Looking ahead

Innovation and security can integrate into the SDLC as long as we recognize these are not two aspects of development at odds with each other. This mindset needs to change, especially in an era where new critical vulnerabilities are revealed weekly and cybercriminals are becoming increasingly sophisticated. Staying one step ahead requires a commitment to application security education. This isn’t a one-off but a career-long journey we need to kick-start today.

About the Author

Amy Baker AuthorAmy Baker is a Security Education Evangelist at Security Journey. Over her 30-year career, Amy has more than 10 years of experience driving the mission of improving security knowledge for employees in all roles. Her current responsibility is dedicated to improving security knowledge for everyone in the software development life cycle, with a specific focus on developers. Her experience started as a leader at Wombat Security and Proofpoint (post acquisition in 2018). She has spoken at various infosec conferences and webinars about best practices in managing security training programs such as Gartner, SecureWorld, and ISSA. Amy can be reached online via our company website https://www.securityjourney.com/

Source: www.cyberdefensemagazine.com