According to the Verizon 2019 Data Breach Investigation Report, 69 percent of the data breaches investigated by Verizon were perpetrated by outsiders, 63 percent were the result of attackers targeting server assets, and nearly 70 percent of breach incidents were caused by attackers targeting vulnerable web applications. Undoubtedly, there is a substantial connection between vulnerable web applications containing software defects, and data breaches. Since this is the case, what is the primary cause of software defects? Almost all research into the origin points to the lack of secure coding education, training, and skills.
Application Security Testing (AST) solutions manage and measure your overall Software Exposure, which helps you accurately understand and significantly reduce your organization’s business risk. Software exposure results from mistakes made in the design, coding, testing, and maintenance of software. Exploiting these vulnerabilities can make the software unavailable or unreliable to users, or allow attackers to execute unauthorized code, read or modify data, change a user’s privileges, hide activities, or bypass security controls.
One component of software exposure includes the concept of training exposure as shown in the graphic below. This concept raises the question of, “Are developers properly trained, and are there specific areas that need to be strengthened?” If you haven’t fully integrated methods to improve developer education, training, and skills into your DevOps initiatives, your organization is suffering from what we at Checkmarx call, training exposure.
Understanding the Developer’s Viewpoint and Role
One of the most valuable developer resources is time. Developers are primarily employed to write quality code in today’s fast-moving CI/CD environments and anything that slows them down is considered a hindrance to their often-heavy workloads. Writing secure code is often seen as a “nice to have” that’s frequently impacted by deadlines, delays, and difficulties.
Software developers are primarily compensated as a result of their ability to rapidly write functioning code, not necessarily secure code. Most were not hired to be part of the security team, yet they are in the perfect position to be part of the remedy to the overall problem. Developers have the ability (and often the responsibility) to reduce an organization’s cyber-risk factors by significantly reducing an organization’s software exposure. Simply put, developers need, and often want solutions that help them write more-secure code. But the real question is, “What is the best way to address training exposure head-on and achieve the desired result?”
Work-Related Training Options That Aren’t Always Working
Organizations today are often mandating some level of security training for their new-hire and existing developers. This is primarily due to heightened level of vulnerability awareness, a broadening cyberthreat landscape, new and existing regulatory requirements, and other internal and external influences. Organizations see software security as a primary concern, only second to their continued growth and overall business success.
Beyond what’s being communicated in the colleges and universities today, work-related software security training can be experienced in many ways. Unfortunately, lengthy video tutorials, periodic and often extensive classroom training, and tiresome online courses are often the norm. The biggest problem with this type of training is that it’s out of context to the everyday activities that developers perform. Plus, mundane training is always viewed with a level of dislike. Is there a better way to implement interactive training within the process of developing code itself?
Secure Coding Education that Delivers the Desired Result
Most would agree that the best way to train someone is while they’re doing the activity themselves. For example, if someone wanted to train for a sporting competition of sorts, they would likely spend most of their training-time doing the activity. The same holds true for Secure Coding Education (SCE). SCE should be available at the exact moment when it’s needed most—while developers are writing the actual code that’s part of their everyday jobs.
When you implement training programs that pull developers away from their integrated development environments (IDE), you remove them from their daily coding cycles, which is often viewed as disruptive. What is needed is to integrate bite-size, relevant training modules directly into a developer’s daily routine. This way, developers do not have to endure hours of out-of-context training sessions.
While developers are writing code and a software defect that could lead to an exploitable vulnerability is detected (most often via incremental Static Application Security Testing (SAST)), developers can jump to a training module integrated within their IDEs. The training module should also be integrated with the SAST solution that highlights the line(s) of code where the defect was detected, as well as highlighting the best-fix location. The module should then “train” the developer about how to remedy the software defect in an interactive and gratifying manner. This way, the training module is completely contextual, not only to the overall coding activity, but to the actual defect itself.
This just-in-time training approach has been proven to be effective at helping developers substantially improve their secure-coding abilities. Since it is not typical for a developer to have the entire code base of a very large software application on their desktop, having training modules at their fingertips that focus their attention to found vulnerabilities in the portions of code they’re responsible for, is extremely valuable. Real-time training is the best approach when developers are tasked with fixing a security vulnerability.
What is ultimately achieved is first, code defects are remedied, and second, the developers’ training-retention is vastly increased. The next time a similar defect is detected, the developer will likely know how to immediately fix the issue. Eventually, the probability of a developer making a similar error is significantly reduced and more-secure code will become a reality. The desired result is obtained, and training exposure is no longer a contributor to the overall software exposure concern.
How to Resolve Training Exposure
Integrate Secure Coding Education (SCE) throughout DevOps to resolve risks inherent to training exposure. Here is an SCE solution that can help your team resolve training exposure.
Developer Secure Coding Education
What to look for: an interactive, engaging software security training platform integrated into the development environment, sharpening the skills developers need to avoid security issues, fix vulnerabilities, and write secure code.
Here are some other key software security solutions that that are designed to help address software exposure beyond secure coding education.
Static Application Security Testing
What to look for: ability to automatically scan uncompiled/unbuilt code and identify security vulnerabilities in the most prevalent coding languages.
Interactive Application Security Testing
What to look for: ability to continuously monitor application behavior and find vulnerabilities that can only be detected on a running application.
Open Source Analysis
What to look for: ability to enforce open source analysis as part of the SDLC and manage open-source components while being able to ensure that vulnerable components are removed or replaced before they become a problem.
Professional & Managed Services
What to look for: a trusted team of advisors who can help development organizations transform their DevOps initiatives by adding security throughout their SDLC.
With the information these software security solutions provide, your team can prioritize issues properly and resolve them in a timely manner.
Unify your software security into a single, holistic platform to manage your software exposure. Learn how here.