Everyone knows how vulnerable today’s web-based, mobile, and desktop applications can be to a security breach. But what is the best way to assess risks and eliminate vulnerabilities? Just how good are today’s developers at writing secure application code and why is that important?
“People often represent the weakest link in the security chain and are chronically responsible for the failure of security systems.”
- To be most effective, secure coding training for developers needs to be an integral part of the overall software development process.
- Everyone who touches an application – from development through testing and into production – needs to be driving toward a set of shared security goals.
- For the application developer, it starts with a good understanding of the major components of the software development lifecycle (SDLC).
- You then need to decide what secure coding principles should apply at each stage in the process.
Training is key
If the goal is to rid applications of potential vulnerabilities before they get out in the world, then training has a major role to play in that equation. It allows you to embed security into your end-to-end SDLC process, and it teaches your teams how to design, develop, and implement secure code. Many developers don’t know what secure code looks like, and many more aren’t fully aware of the more than 1,000 categories of security mistakes that developers can make.
bogus reasons for down-playing the importance of application security
- Secure application development is just too costly.
- Application security is a lower priority than features and speed to market.
- Secure development and training lack management support.
- Our software sits behind a firewall, so we don’t have to worry about security.
- We rely on “find and fix” solutions to secure our code.
Too costly? Is no one in these organizations reporting the cost of fixing insecure software after it has been released?
A lower priority? Has anyone looked at the downstream impact of rushed, and consequently buggy, insecure code – not only to the user, but to the reputation of your brand?
Find and fix? Wouldn’t it be better to make applications secure at the source, where security vulnerabilities can be eliminated long before applications are deployed?
A study by the Aberdeen Group showed that companies adopting a “secure at the source” approach to development realized a fourfold return on their application security investments. “The clear takeaway,” the report concludes, “is that application security initiatives of any kind represent extremely good business value.”
Secure coding training for developers – the most effective application security strategy
Most application security incidents stem from defects in the code committed by software engineers when designing, implementing, and integrating applications. This should not be a surprise, given that software security is typically not a part of standard educational programs.
A critical first step in developing secure applications is an effective training plan that allows developers to learn important secure coding principles and how they can be applied, then integrates these into SDLC architecture and design elements.
From a project management point of view, it’s an easy formula:
- Your engineers work hard every day but produce vulnerable code which results in hundreds of security bugs annually.
- Your organization will need to use resources to test, detect, and correct such vulnerabilities.
- An easier option would be to educate those programmers about secure coding so that they’ll start to write secure code from the very next working day.
Why training developers in secure coding practices is key
Without training in secure coding practices, developers continue making the same mistakes over and over again, and you are opening yourself up to considerable risk.
- Programmers should be held accountable for their code, but they can’t do that if they don’t know what to look out for.
- Preventing software vulnerabilities pays off. The benefits of fixing code earlier in the SDLC are well recorded.
- Estimated “costs to fix” later in the SDLC are between 6 and 1,000 times more expensive than fixing security bugs in the coding stage.
- This fact should make it easier to convince management of the value of developer training related to application security.
The bottom line
- Today’s software development community realizes that security needs to be woven into the entire product development lifecycle.
- Secure coding matters – think about your lost reputation when news spreads that your organization has been hacked or your software has serious vulnerabilities?
- Instructor-led training and e-learning have proven themselves to be surprisingly effective parts of an application security program.
- With appropriate training, every developer can become “a security gatekeeper,” helping you avoid problems and grow your business rather than finding and fixing problems after the fact.
Never forget that the best security defense begins and ends with your people. Be clear about their roles, invest in their training, and set priorities that drive smart decisions throughout your organization. The result will be better products, happier users, and far fewer problems for you to deal with down the line.
WhiteHat Security announced a five-part developer training webinar series and certification program that introduces developers to application security, secure coding techniques and best practices in identifying and fixing security vulnerabilities.