Maité Hacquin (Business Team Lead, Avatao)
What are the key benefits of practical security training for developers? Here are some tips on how you can build a case for a developer security program.
Security training for developers: More urgent than ever
Your workforce could be your biggest strength… and yet it could just turn out to be your biggest weakness!
To err is human, everyone makes them. Not making any is certainly impossible, but there are some processes organizations can implement to reduce the chances of those errors occurring. I’m here to talk about coding errors developers make that increase the probability of your organization being breached and why you need to pay attention.
Research shows that 95% of security attacks were undertaken because of human errors. Yes, you read correctly, 95%… The logical thinking process drives people to replace or automate every process with tools. However, you can buy all the tools on the market, but if your people are not well trained, breaches will still keep happening.
59% of the respondents to another research agreed that most of the security threats discovered were caused by negligence from their internal teams. Over the years, companies have been financing such tools to monitor and control potential leaks of information, misconfigurations in code, which has reduced human involvement in this particular area. As this continues, security threats and breaches have increasingly expanded. If we were to compare the first quarter of 2018 and 2019, the number of data breaches has increased by 56.4%.
Developers make those mistakes accidentally because they are not being actively involved in feeling responsible for the security of their own codes. They’d rather entirely count on their own security team or tools to monitor what they wrote, only after they wrote it.
Fixing a vulnerability will always remain more expensive than writing secure code from the very beginning. Some companies try to react to this by giving a one-time training every year, however, without continuous security training for developers, their knowledge rapidly becomes redundant as new types of vulnerabilities come up constantly. That’s the hard part of cybersecurity.
Let’s take the example of the Yahoo 2014 breach, where the data of 500 million users was compromised, after their management refused to pay attention to the comment of a VP of engineering, warning them about a vulnerabilities list that needed to be prioritized and checked. The management refused to fund it. This lack of attention cost $350 million to the company. With properly trained employees, your team can save you millions of dollars. Believe it or not, investing in security training is a smart long-term investment.
While this is common knowledge that organizations are growing their annual budget for security, mostly spent on buying scanning tools, it’s quite worrying to learn that only 53% of IT teams are uncertain of the efficiency and operations of the tools they deploy. The preeminent issue with using tools is that developers only see the errors being reported without learning how to avoid them in the future. The wrong idea here is to think that if you buy this very expensive tool, your organization will be secure. Tools require a lot of knowledge from the developers themselves. If the developers are not properly trained on security
Tools can be helpful (in certain ways), but their outputs are going to be analyzed by the developers in the end, resulting in extra work for them, just later in the process. Tools should not be considered as the answer for securing your organization anymore, it is time secure code training takes that spot!
The key benefits of practical security training for developers
Organizations need to start involving their developers in issues pertaining to security. After all, they are the ones producing the lines of code. The biggest red flag we observed with companies is that security is often seen as an obstacle for developers to deliver their projects on time – or to their productivity – and because of that, remains at the bottom of the priority list. However, here are some of the outcomes that can be observed after a well-planned security training for developers:
- It reduces the length of QA testing and retesting phases as code is less likely to contain security defects.
- It decreases the total cost of fixing vulnerabilities as bugs are discovered and remediated much earlier in the SDLC.
- It decreases existing delays in product development as engineers apply cleaner and better code during the development process.
The skill gap in the security industry
One last alarming matter before I close this blog post is the lack of security professionals available on the market. In EY’s Global Information Security Report 2018-19, they stated that we’ll be facing a shortage of 1.8 million security professionals over the next five years. It’s already hard to find good and experienced security people today (because they already have a job), but it will only become increasingly difficult in the coming years. It is time to strengthen your development teams from within, it surely will be an investment that is worth it, even though it is hard to see now.
As laid out in this post, human factors such as skill gaps in cybersecurity in companies, the ever-changing cybersecurity threats landscape, the increasing sophistication of security attacks, and the lack of knowledge of end users, undoubtedly remain one of the main security threats for organizations today. While the first move of most of the companies is to go look for tools and other technologies to overcome this threat, nothing can replace continuously educating your employees with the right training and hire skilled security people.
Reading Time: 6 minutes As the company grows the leadership wants to establish a security program to ensure the solid and undisrupted operation of the business. Security at this point is essential, especially when calculating the loss from a halted business, even for a few hours.
Reading Time: 5 minutes Cybersecurity is an inherently negative asset. As with any protective measure, the major challenge is to measure the value (or Return on Investment, ROI) of cybersecurity. It is significantly more difficult to make this value apparent to stakeholders: customers, users and decision-makers in the company.
Reading Time: 8 minutes How would you like the idea of being escorted by armed security staff from the grocery store to your home in order to protect the valuable air fresheners you have just bought? Would you be confused, would you visit the store again?