Software/Technology Industry
Developers Find & Fix 5.6x More Vulnerabilities with HackEDU’s Training
Results Summary Top Benefits Achieved
The Challenge A software technology company that has many of the Fortune 500 as their customers stores over 41 million records of end user data. The company wanted a training solution to both meet PCI secure coding requirements, and reduce vulnerabilities in software to protect their applications and ultimately their end users’ data. The company wanted to show the effectiveness of the training solution so they could justify to engineering leadership that time away from development was worthwhile, show the ROI for their internal security budget, and measure the effectiveness for C level leadership. Prior to taking any training the company gave a secure coding assessment to all developers. The assessment consisted of multiple questions that consisted of finding a simple OWASP Top 10 vulnerability in a specified function and to fix it. The assessment consisted of two SQL Injection vulnerabilities, one XML External Entities (XXE) vulnerability, and one Cross-Site Scripting vulnerability. In addition, there was a simple question on Insecure Deserialization. The developers were not given the answers to the questions, but only given a final score. The developers averaged a score of just 19% and found & fixed an average of just 14% of the vulnerabilities. 58% of developers were unable to successfully find & fix just one vulnerability. |
Solution
The company decided to put all of their software developers through HackEDU’s hands-on secure coding training. HackEDU offers interactive Secure Development Training to help software developers lower the risk of vulnerabilities in code. The company’s developers went through an average of 12 of HackEDU’s 35 lessons and 12 challenges. HackEDU’s training helps developers improve their ability to write secure software, boost their understanding of how software systems are hacked, and decrease the time to solve security related problems. In addition, the training helped the company meet the PCI secure coding training compliance requirements.
After the training and approximately 9 months after the initial assessment the developers were given another assessment. This time the average score was 85% and the developers found 81% of the vulnerabilities. 100% of the developers found & fixed a majority of the vulnerabilities in the assessment. All of the developers improved their ability to find and fix vulnerabilities in code.
Results & Benefits
Not only did the developers improve their ability to code securely, but they also thought it was interesting and enlightening. One developer wrote “I didn't know that the MD5 algorithm was not considered secure” and another developer commented: “The hands on part was great!”
About HackEDU
HackEDU offers hands-on Secure Coding Training online to help software developers lower the risk of vulnerabilities in code. Developers improve their ability to write secure software, boost their understanding of how software systems are hacked, and decrease the time to solve security related problems. In addition, HackEDU's training helps meet PCI-DSS, HIPAA/HISTRUST, ISO, and NIST compliance requirements.
Security teams turn to HackEDU to help them "shift left" and be more proactive in reducing vulnerabilities in software. To view at HackEDU's training offerings visit Secure Development Training.