Recently, I had an opportunity to sit down with Kurt Risley and ask him about his experiences and observations when working with organizations who desire to develop a comprehensive AppSec Awareness Program. The Q&A is as follows:
Stephen: Since our world relies heavily on software, today more than ever before, software must equal security. In this context, what are your thoughts on the origin of software vulnerabilities?
Kurt: Almost all research into the origin points to the lack of secure coding education, training, awareness, and skills. In fact, 70 percent of developers indicate they lack the necessary training to adequately secure the software they develop. In addition,
- There are 22M software developers around the world (Evans Data),
- 90% of security incidents result from defects in the software design or code (DHS),
- 21% of data breaches are the result of software vulnerabilities (Verizon),
- 1 in 3 of newly scanned applications had SQL injection vulnerabilities over the past 5 years (Cisco),
- And there is a 100 to 1 ratio of developers as compared to application security personnel (SANS).
- It strengthens ties between developers and security teams.
- It reduces software risk and mitigates business risk.
- It helps demonstrate that you are a security-driven organization to your customers (which is important to all organizations.)
- It reduces the amount of costly security bugs delaying software delivery and deployment.
- It puts security in the foreground of software development and incorporates security as a best coding practice, organization wide.
- It improves collaboration between the security team and developers.
- It provides an easy way to identify and measure security skills among new hires and candidates.
- Rollout: Using teams make the rollout more structured and easier to manage long term. That could be done by geography, by business units, by application, by language, etc.
- Launch: Communicate with developers on the specifics of the rollout. Clearly explain the goals and objectives and make it clear that this will be fun and very productive. This will not be a time-consuming sink.
- Assess: Get a baseline at the beginning of your program. Wouldn’t it be nice to continuously assess your developer organization and understand where their strengths are, and then understand areas that need improvement?
- Takeaway: There are many benefits to this approach and the key takeaway is now you can demonstrate the value to leadership after training has been conducted and the areas that have been increasingly improved.
- ROI: This delivers measurable KPIs that results in a proven accelerated ROI, which is a significant return on your initial and long-term investment for the cost of an official program.
- Train, train, train: Conduct focused training for certain periods of time, on a regular schedule.
- Create a friendly competition among developers: Since everyone loves some level of competition, add it to the mix, and make sure no one feels left behind or left out.
- Add an incentive program: Since most people are motivated by awards and kudos of some kind, think of incentives your teams would appreciate. It doesn’t always have to be money based. Sometimes, just public recognition is enough to motivate people.
- Assess and track: Don’t forget to continuously assess your program and your teams’ progress. Share that progress in report-like formats to management that can be easily digested. Keep good records of all progress and problem areas.
- Address problems head-on: If problem areas are identified, address those areas first, and then share positive progress with the group… and with the larger audience.
- Rinse and repeat: If what you are doing is working, it’s simple from there. Don’t fix what’s not broken. Yet, if something is broken, ensure you don’t wait until the “blank hits the fan.”