Security Journey Blog

How Secure Coding Training Fits Into The Shift Left Movement

Written by Security Journey/HackEDU Team | Jun 18, 2021 2:04:47 PM

In the past, security was not seen as a priority during the development process.  Often, developers would only perform vulnerability scans and security audits as part of the testing phase of the DevOps cycle, if they did so at all.  As a result, vulnerabilities became common in production code as organizations failed to identify and properly fix security issues in code before release.

The Shift Left Movement is dedicated to improving how organizations approach security testing and vulnerability management.  Instead of leaving security until the very end, the goal of the movement is to “shift security left” into earlier phases of the development timeline. 

This means that security needs to be incorporated into the design and coding phases of software development. Accomplishing this requires developers to have skills that they might not currently possess.

How Does Secure Coding Training Fit Into Shift Left?

With Shift Left, developers are expected to consider security from the very beginning.  This means that security requirements and user stories should be incorporated into the planning stage of the DevOps timeline and that code should be written to be secure by default and tested using security-focused unit tests.

To achieve this, developers need to have a clear understanding of how to write their code in a secure fashion.  Without an understanding of what a cross-site scripting (XSS) vulnerability is and how it works, developers can’t ensure that their code doesn’t contain one, or write effective unit tests to check to see if it exists within their code.

This is why secure coding training is an essential component of the Shift Left Movement.  With secure coding training, developers can be introduced to some of the most common types of vulnerabilities and learn how to avoid them and test for them.

Most developers are not security experts, nor do they need to be in order to do their jobs effectively.  However, developers do need a certain level of knowledge about security and vulnerability management to fight back against the growing number of vulnerabilities that reach production code.

The Challenge of Adding Secure Coding Training to DevSecOps

The Shift Left Movement and the transition from DevOps to DevSecOps go hand in hand.  Both are dedicated to ensuring that security becomes central to every part of the development process.

However, with DevOps and DevSecOps, it is important to consider the impact that increased responsibilities around security testing and vulnerability management will have on DevOps workflows.  Developers using DevOps methodologies are focused on rapid development cycles and seek to eliminate anything seen as an impediment to this.

If implemented incorrectly, secure coding training can be a serious hindrance to rapid development processes.  If developers are forced to learn about every possible vulnerability before they are permitted to start writing code, then nothing will ever get done.  A secure coding training program that creates a barrier is one that developers will ignore and find workarounds to avoid.

Effectively Integrating Training into DevSecOps

For secure coding training to be accepted as part of DevSecOps processes, it needs to have clear benefits and create minimal burdens for the development team.  The way to achieve this is through targeted secure coding training.

For many applications, several of the most common vulnerabilities do not apply.  For example, an application that never touches a database has no need to fear SQL injection attacks, and buffer overflow vulnerabilities are only a concern when applications accept unstructured user input.  An effective secure coding training program will ignore irrelevant vulnerabilities and focus on the ones that a developer is most likely to experience.

HackEDU provides this type of targeted secure coding training.  Our platform integrates with common DevSecOps tools, code repositories, and bug bounty programs, providing it with insight into the types of vulnerabilities that matter to a development team and the ones that exist in their code.  This enables us to provide targeted training with clear value to the team, without wasting limited time and resources teaching about vulnerabilities that don’t apply to their code. Developers who are more curious about security will also have access to additional content to satiate their thirst for knowledge.

Conclusion

It can be very daunting to make major shifts in development workflows. Every change has the potential to create massive upheaval that can be disruptive to developers and the product roadmap. By carefully integrating secure coding training into the development workflow, and providing lessons that are tailored to each individual developer’s needs, our customers have enjoyed the benefits of secure coding training, without having to fear the potential downsides.