Jan 24th has been proclaimed by the United Nations Generation Assembly as the International Day of Education, seeking to raise awareness about the need to invest in people and the importance of education. So, what exactly should this look like for those working within the software development industry? Especially taking into consideration that this space is facing a significant challenge: the rapid increase in the number of security vulnerabilities which has grown from 6,487 to 20,139 between 2015 to 2021, and enterprise risk is rising as a result.
For around a decade now, we’ve seen security awareness training become increasingly embedded within an organization’s security strategy. However, while this approach can certainly be effective as it provides a foundation and state of alert, in itself, it is not enough, particularly for those in security critical roles such as software developers, product and UX managers, quality assurance, and scrum masters who are all responsible for delivering safe applications. For these individuals, enterprises need to be investing in persistent and programmatic education if there is to be any real change in the existing AppSec dilemma.
As we take this opportunity to recognize the International Day of Education, it’s crucial to understand why education is so different from awareness as it relates to application security. Where ‘awareness’ is understanding vulnerabilities and recognizing flaws in code, ‘education’ is knowing exactly how this flaw will impact the product, business, and customer and what must be done to remediate the flaw. And, while always striving to be masters of their trade, developers and other roles within the software development lifecycle (SDLC) may not have the depth of understanding and knowledge of how to implement the key security principles required to resolve the ever-evolving types of vulnerability.
Often this is no fault of their own. Developers, for example, can be hindered by the lack of mandatory secure coding courses in their university education, with none of the top 50 in the U.S. making this a requirement in computer science degrees. To empower more secure decision-making, applications, and services, therefore, must be an obligation for organizations to invest in educating their people and instilling knowledge.
Education must be effective to drive widespread adoption. And to be effective and become engrained as a ‘secure habit’, it must be delivered on a continuous and programmatic basis. As we all look to form long-lasting, good habits at the start of a new year, those in security-critical roles within the SDLC should be seeking ways to ensure security is always baked in at every stage of application development. This helps to instill a security-first mindset, making security second nature, rather than a costly add-on once a vulnerability has been detected.
Given the variety of roles across the SDLC, secure habits will differ depending on each person’s responsibilities and levels of experience. For example, while a software engineer would benefit from habits like regular code reviews, project and product managers should be holding threat modeling discussions early in the design process. Get some inspiration for your own secure habits here.
Forming long-lasting secure habits within application security will not be an immediate process driven simply through awareness. In fact, it takes more than two months on average before any new behavior becomes automatic – 66 days, to be precise. It is, therefore, vital that if we are to see real change in our industry, organizations must enable knowledge and a security-first mindset by prioritizing continuous security education programs that support secure habit formation and secure coding practices – not just on International Day of Education, but all year round.