Software supply chain risks are a highly visible part of the cybersecurity threat landscape. From President Biden’s cybersecurity executive order to Gartner including them in its 2022 list of top security risks, supply chain threats are making headlines everywhere – and rightfully so. Gartner notes that by 2025, at least 45% of organizations around the world will experience attacks on their software supply chain.
As businesses rush to shore up their software supply chain security, one source of risk is often overlooked, and what – or who – it is might surprise you. It’s developers – the engine that drives new applications, services, and products to market.
First things first. We aren't talking about developers going rogue and sabotaging the development cycle. That kind of intentional bad behavior – which thankfully is an infrequent occurrence – isn’t what we mean. Rather, we’re calling attention to unintentional behavior that injects vulnerabilities into code.
How does that happen? Through a combination of factors.
Developers today are under more pressure than ever, whether due to the ongoing talent shortage or other job responsibilities that restrict their time available to code. Whatever the reason, developers today are relying more and more on open-source code to speed up the development process.
More than 80% say they are pulling open-source code into their work at least once per month. Half say they do it weekly. And while using open-source code is generally a good thing that saves time and resources (why recreate the wheel?), not every line of that third-party code gets fully vetted for security. That’s a lot of potential insecure code going into the application development process.
Add to this the reality that none of the Top 50 computer science programs at U.S. colleges and universities require specific courses on application security. This means most developers today have never been exposed to application security best practices or strategies in an educational setting.
This lack of education puts developers at a disadvantage. They simply lack the foundation to understand or apply security strategies in their day-to-day coding work.
These factors combined make it easy for code vulnerabilities to be missed or ignored, even for years. When critical security flaws are eventually discovered, developers feel far removed from the code they wrote ages ago. Also, the time gap between coding and finding errors means developers can’t learn from their mistakes in real-time.
Most importantly, insecure code presents roadblocks and costly refactoring for the rest of the DevOps team. These unintentional insecure coding errors cost organizations time, money, and resources.
The good news is that these types of risks can be mitigated. The key is solid application security education.
Offering a broad security awareness program isn’t enough anymore. Nor should these types of high-level programs be seen as a solution to today’s application security risks and vulnerabilities. Long gone are the days when it is appropriate to roll out awareness training once per year and then mark the task complete for another 365 days.
Instead, application security training should be considered an evolving journey – one that leads to a deeper understanding of risks and vulnerabilities and better decision-making about ways to mitigate these risks. A great training program is programmatic in nature, offers training throughout the year, and evolves as the threat landscape evolves.
Maximizing the success of any training program means being able to measure improvements along the way. Whether you compare the number of vulnerabilities in code before and after training or the number of vulnerabilities a learner can find and fix, measuring progress is essential. As developers work their way through the training, seeing tangible improvements helps to incentivize further engagement. Success builds upon success, especially in application security education.
Likewise, measurable goals give you the ability to show progress to stakeholders and others across your organization. It also helps prove the worth of the program to those with influence, like boards of directors.
Application security training isn’t -- and shouldn’t be – a one-size-fits-all approach, and it shouldn’t be static, either. As the day-to-day issues of developers evolve, so should the training they receive.
Training will fall flat if it doesn’t meet learner needs, and that is especially true for developers. The lessons they take must be relevant to what they do, and learners shouldn’t simply be presented with a solution in a vacuum. Explaining the context and the “why” around the solution is key to keeping learners engaged.
Don’t underestimate the importance of incentives. Rewarding those who consistently demonstrate security best practices in their day-to-day work is a winning and proven strategy. These incentives don’t need to be monetary, either. Whatever best suits your business culture works. So, if learners want swag, give it to them. Never underestimate the allure of a hard-won hoodie.
When you continuously motivate security practitioners, you can turn them into “security champions.” These security leaders wield great influence and encourage others to embrace application security, too. This type of evangelism organically influences a security culture shift across the entire organization.
Software developers are the foundation of the SDLC. While it is important to recognize the potential insider threat they pose to organizations, it is equally important to recognize and reward their value.
A developer that is educated in secure coding best practices is the strongest defense against cyberattacks. They are also an invaluable asset to the rest of the DevOps teams in the quest to deliver secure software.
The proven way to do this is through continuous and effective application security education. Security education that includes both security principles and bigger security concepts and ideas allow developers to become flexible problem solvers. In turn, this helps them apply their security knowledge to novel situations in the future.
Ready to learn more? Check out our recent webinar on How to Start an Effective Secure Coding Training Program, and get started today!