Building secure software has never been more important. Globally, organizations spend billions of dollars on tools to identify vulnerabilities in the code they write and use. It’s easy to understand why. Vulnerabilities and misconfigurations in software can result in breaches that can cost millions in remediation and damage a company’s reputation. Attacks on vendors in the software supply chain is driving demand for evidence of software security across all market segments.
Testing for vulnerabilities is necessary, but is a reactive solution that identifies issues late in the development process. This can result in teams facing the uncomfortable choice of unexpected delays in releasing products or releasing products with known vulnerabilities. If security is not fully integrated into the development process, it can also result in friction between internal teams.
How Vulnerabilities Enter Software
Vulnerabilities can enter code bases through third party components or custom code written internally. Vulnerabilities in custom code are usually the result of coding errors. For example, all user input to a running application should be validated to ensure only properly formed data is used. If a developer misses this step, an attacker may be able to execute a SQL injection or cross-site scripting attack.
Teams face two challenges in preventing vulnerabilities in their custom code. The first is organizational; development teams are measured and rewarded for delivering a fixed set of features and functionality by a specific date. Developers are solving difficult engineering problems and focused on functional requirements. Security requirements are rarely part of those (though including them can significantly reduce development costs).
The second challenge is educational. As we’ve previously noted, security coursework is rarely a requirement in computer science degree programs. This means that if you want developers to understand how to build more secure software, you need to have a training program.
5 simple ways training can boost your security program
A security training program helps organizations build better software faster. Like most initiatives, these can be simple at first and evolve over time. Here are five tips for building a successful program.
1. Create security awareness across the organization: Acknowledge the effort required to complete training programs. Often this is achieved through internal recognition and designations of “security champions”. Also, remember that responsibility for security extends beyond security teams and software development. Including role-specific training for development, operations, and general staff also helps instill a security culture.
2. Build healthy secure coding practices: Smart development and security leaders understand that consistency is important. By standardizing and including best practices for each role in your training, you can minimize risk and increase code maintainability.
3. Shift security left: Training is the ultimate shift left. It helps organizations avoid coding errors that introduce vulnerabilities to an application. Ideally, you should include precision training that is accessible whenever the developer needs it – as they are writing code. During busy development sprints, developers are more likely to consume small, concise training topics rather than monolithic courses.
4. Help security and development work together: Over time, silos emerge within any organization. You can improve collaboration and better ensure buy-in by involving development and security in training requirements, selection, and execution. As developers successfully complete training, provide them with opportunities for additional collaboration and assign security champions as a bridge between development and security.
5. Leverage Certifications to build customer confidence: While completing a training course is good, completing an independent accreditation program is better. These programs are structured to build on broad fundamentals then focus on the unique needs of the learners. Learners appreciate them as they are “portable.” Customers like them as they demonstrate an organization’s commitment to security. In an industry increasingly concerned with the security of their software supply chain, this can provide organizations with a competitive advantage.
How Security Compass can help
Security Compass delivers a full suite of on-demand application security training solutions supported by research and accredited by ISC2. Our role-based, eLearning platform meets developers where they are in their knowledge and learning style to ensure they successfully develop and apply secure coding skills. Just-in-Time Training (JITT) within SD Elements, our platform for developer-centric threat modeling and secure software design, includes short videos that engage and educate developers in real-time and support the implementation of security and privacy controls in their environment and workflow.
Training is available for development, operations, and general staff and ranges from security awareness to in-depth role-based and programming language-based learning. Our Software Security Practitioner (SSP) Suites deliver on-demand application security training solutions supported by research and accredited by ISC2.
You can learn more about our training offerings here.