In the current economic climate, organizations are under increasing pressure to bring new products and services to market faster than ever. As a result, the security of those applications remains an afterthought. Adding to this mix is the reality that security is still not typically part of undergraduate computer science programs.
Recent critical vulnerabilities such as OpenSSL are proof that even excellent, experienced developers can create insecure code. This is not intentional. Instead, it is a by-product of a lack of knowledge and vigilance that comes from continuous education on emerging and legacy concepts like the software supply chain, buffer overflow, and SQL Injections.
We anticipate a continued uptick in application development throughout 2023, presenting a need to improve the state of secure coding training. We spoke with our resident security education experts – Amy Baker, security education evangelist; Mike Burch, director of application security; and John Campbell, director of content engineering – about what they see on the horizon for application security and why organizations should prioritize continuous and programmatic education over the next 12 months.
The industry must recognize that many organizations are struggling with a shortage of resources to tackle the AppSec dilemma. Overcoming this issue means educating teams proactively so that security becomes a second language built into every stage of the development process. It shouldn’t be considered the responsibility of someone else or something to be checked at the end of the development lifecycle.
The way to achieve true application security is with an efficient and holistic method to educate not just developers but the entire Software Development Lifecycle (SLDC) team.
2023 likely also brings continued economic challenges and budget scrutiny. Rather than attempting to hire expensive and hard-to-find application security experts, organizations can lean into these challenges by investing in the education of existing development resources.
By improving secure coding knowledge for developers and the teams that support them, organizations can dramatically improve their security posture. This is critical in today’s threat landscape. In 2023, security should not be delegated to a few select AppSec experts, but instead should be baked into every role in the development lifecycle.
Two fresh considerations for 2023 are Web3 and the metaverse. These emerging areas promise impressive opportunities for businesses and hackers alike. Application security in the metaverse lacks the focus it deserves.
Most security tools were simply not built for decentralized solutions. They won’t be enough to protect this space from malicious actors unless secure code is built into core application layers from the start. Because of this, secure coding training needs to be a top priority in 2023. It should be planned strategically, delivered consistently, and become a continuous journey rather than a ’check box’ exercise.
The cybersecurity landscape is ever-changing, and applications pose an especially critical threat as lucrative targets for criminals interested in large pools of data. Education must evolve as the vulnerabilities evolve, ensuring teams are always up to date with the latest knowledge.