Recently, I had an opportunity to sit down with Kurt Risley and ask him about his experiences and observations when working with organizations who desire to develop a comprehensive AppSec Awareness Program. The Q&A is as follows:
Stephen: Since our world relies heavily on software, today more than ever before, software must equal security. In this context, what are your thoughts on the origin of software vulnerabilities?
Kurt: Almost all research into the origin points to the lack of secure coding education, training, awareness, and skills. In fact, 70 percent of developers indicate they lack the necessary training to adequately secure the software they develop. In addition,
- There are 22M software developers around the world (Evans Data),
- 90% of security incidents result from defects in the software design or code (DHS),
- 21% of data breaches are the result of software vulnerabilities (Verizon),
- 1 in 3 of newly scanned applications had SQL injection vulnerabilities over the past 5 years (Cisco),
- And there is a 100 to 1 ratio of developers as compared to application security personnel (SANS).
Today, most organizations want to increase awareness and security, and this includes leveraging practical materials for software developers about best practices and common pitfalls throughout the various steps needed to accomplish this goal. An AppSec Awareness Program should primarily target your software development community first, and it must be performed and tracked on a regular basis.
Therefore, the best place to start is from the beginning with the developers themselves. However, the reality is that today’s developers have other priorities like deadlines, functional bugs vs. vulnerabilities, new languages, expansion of software utilization, increasing projects, etc.
Stephen: How does your conversation typically start with an organization around an AppSec Awareness Program?
Kurt: I typically ask the organization this basic question first, “Do you currently have an AppSec Awareness Program in place for your developers?” Most customers I speak with either have an informal program, where the developer is required to take a certain amount of training, while others have nothing in place whatsoever, but really desire to take it to the next level. It’s nearly the same no matter who I talk to.
Although some organizations have mandatory compliance requirements such as PCI, GDPR, etc., their current program is not well conceived to adequately address their compliance mandates. Today, AppSec awareness is no longer an option.
Now in the context of an official awareness program, these are the most common questions I get: “How do we put a formal program together for our developers? Where do we get started? How do we get engagement from the developers where it’s fun and not the typical training where everyone rolls their eyes?” To be honest, answering these questions on a daily basis is where I have been spending most of my time.
Stephen: What does a workable and proven AppSec Awareness Program look like and how do you kickstart one?
Kurt: There are some key milestones and approaches that any organization can adopt. First, we want a commitment from leadership. This is critical. Executive sponsorship is a key success factor, but it doesn’t mean you have to have it, to roll out a program for your developers.
Here are the 4 key areas that must be addressed to obtaining key stakeholder buy-in:
First, communicate with your executive team about the what, why, and how of an AppSec Awareness Program—typically, the goals and benefits of the program.
Second, address the questions from your executives concerning, “What’s in it for me?” I usually answer with this:
- It strengthens ties between developers and security teams.
- It reduces software risk and mitigates business risk.
- It helps demonstrate that you are a security-driven organization to your customers (which is important to all organizations.)
Next, discuss with your software development managers about the goals and benefits of the program, primarily from their perspective.
Finally, address the questions from your development managers concerning, “What’s in it for me?” I usually start with this:
- It reduces the amount of costly security bugs delaying software delivery and deployment.
- It puts security in the foreground of software development and incorporates security as a best coding practice, organization wide.
- It improves collaboration between the security team and developers.
- It provides an easy way to identify and measure security skills among new hires and candidates.
Stephen: What is the best way to organize an approach to a solution setup?”
Kurt: Let’s talk about an organizational structure first, and what that setup looks like a little more in detail.
- Rollout: Using teams make the rollout more structured and easier to manage long term. That could be done by geography, by business units, by application, by language, etc.
- Launch: Communicate with developers on the specifics of the rollout. Clearly explain the goals and objectives and make it clear that this will be fun and very productive. This will not be a time-consuming sink.
- Assess: Get a baseline at the beginning of your program. Wouldn’t it be nice to continuously assess your developer organization and understand where their strengths are, and then understand areas that need improvement?
- Takeaway: There are many benefits to this approach and the key takeaway is now you can demonstrate the value to leadership after training has been conducted and the areas that have been increasingly improved.
- ROI: This delivers measurable KPIs that results in a proven accelerated ROI, which is a significant return on your initial and long-term investment for the cost of an official program.
Stephen: Then, what should happen next?
Kurt: You must be proactive and as a result, you’ll reduce risk in your organization. What I mean by being proactive should entail:
- Train, train, train: Conduct focused training for certain periods of time, on a regular schedule.
- Create a friendly competition among developers: Since everyone loves some level of competition, add it to the mix, and make sure no one feels left behind or left out.
- Add an incentive program: Since most people are motivated by awards and kudos of some kind, think of incentives your teams would appreciate. It doesn’t always have to be money based. Sometimes, just public recognition is enough to motivate people.
- Assess and track: Don’t forget to continuously assess your program and your teams’ progress. Share that progress in report-like formats to management that can be easily digested. Keep good records of all progress and problem areas.
- Address problems head-on: If problem areas are identified, address those areas first, and then share positive progress with the group… and with the larger audience.
- Rinse and repeat: If what you are doing is working, it’s simple from there. Don’t fix what’s not broken. Yet, if something is broken, ensure you don’t wait until the “blank hits the fan.”
If you’re interested in learning more about how you can develop a comprehensive AppSec Awareness Program in your organization, the best place to start is to request a free trial of Checkmarx Codebashing solution. Through the use of just-in-time training, ongoing communication, and fun engagement, security managers cultivate a culture of software security that empowers developers to think and act securely in their day-to-day work. From there, you can request a demo where you can learn more about how to implement a program in your organization.