Written by Maité Hacquin
What are the key benefits of a practical security training for developers? Here are some tips on how you can build a case for a developer security program.
Security training for developers: More urgent than ever
Your workforce could be your biggest strength… and yet it could just turn out to be your biggest weakness!
To err is human, everyone makes them. Not making any is certainly impossible, but there are some processes organisations can implement to reduce the chances of those errors occuring.
I’m here to talk about coding errors developers make that increase the probability of your organisation to be breached and why you need to pay attention.
Research shows that 95% of security attacks were undertaken because of human errors.
Yes, you read correctly, 95%… The logical thinking process drives people to replace or automate every process with tools. However, you can buy all the tools on the market, but if your people are not well trained, breaches will still keep happening.
59% of the respondents to another research agreed that most of security threats discovered were caused by negligence from their internal teams. Over the years, companies have been financing such tools to monitor and control potential leaks of information, misconfigurations in code, which has reduced human involvement in this particular area. As this continues, security threats and breaches have increasingly expanded. If we were to compare the first quarter of 2018 and 2019, the number of data breaches has increased by 56.4%.
Developers make those mistakes accidentally because they are not being actively involved in feeling responsible for the security of their own codes. They’d rather entirely count on their own security team or tools to monitor what they wrote, only after they wrote it.
Fixing a vulnerability will always remain more expensive than writing secure code from the very beginning. Some companies try to react to this by giving a one-time training every year, however, without continuous security training for developers, their knowledge rapidly becomes redundant as new types of vulnerabilities come up constantly. That’s the hard part of cybersecurity.
Let’s take the example of the Yahoo 2014 breach, where the data of 500 million users was compromised, after their management refused to pay attention to the comment of a VP of engineering, warning them about a vulnerabilities list that needed to be prioritised and checked. The management refused to fund it. This lack of attention cost $350 million to the company. With properly trained employees, your team can save you millions of dollars. Believe it or not, investing in security training is a smart long-term investment.
While this is common knowledge that organisations are growing their annual budget for security, mostly spent on buying scanning tools, it’s quite worrying to learn that only 53% of IT teams are uncertain of the efficiency and operations of the tools they deploy. The preeminent issue with using tools is that developers only see the errors being reported without learning how to avoid them in the future. The wrong idea here is to think that if you buy this very expensive tool, your organisation will be secure. Tools require a lot of knowledge from the developers themselves. If the developers are not properly trained on security
Tools can be helpful (in certain ways), but their outputs are going to be analysed by the developers in the end, resulting in extra work for them, just later in the process. Tools should not be considered as the answer for securing your organisation anymore, it is time secure code training takes that spot!
The key benefits of a practical security training for developers
Organisations needs to start involving their developers in issues pertaining to security. After all, they are the ones producing the lines of code. The biggest red flag we observed with companies is that security is often seen as an obstacle for developers to deliver their projects on time – or to their productivity – and because of that, remains at the bottom of the priority list. However, here are some of the outcomes that can be observed after a well-planned security training for developers:
- It reduces the length of QA testing and retesting phases as code is less likely to contain security defects.
- It decreases the total cost of fixing vulnerabilities as bugs are discovered and remediated much earlier in the SDLC.
- It decreases existing delays in product development as engineers apply cleaner and better code during the development process.
Skill gap in the security industry
One last alarming matter before I close this blog post is the lack of security professionals available on the market. In EY’s Global Information Security Report 2018-19, they stated that we’ll be facing a shortage of 1.8 million security professionals over the next five years. It’s already hard to find good and experienced security people today (because they already have a job), but it will only become increasingly difficult in the coming years. It is time to strengthen your development teams from within, it surely will be an investment that is worth it, even though it is hard to see now.
As laid out in this post, human factors such as skill gaps in cybersecurity in companies, the ever-changing cybersecurity threats landscape, the increasing sophistication of security attacks and the lack of knowledge of end users, undoubtedly remain one of the main security threats for organisations today. While the first move of most of the companies is to go look for tools and other technologies to overcome this threat, nothing can replace continuously educating your employees with the right training and hire skilled security people.
Get your team up to speed with the latest practices in cybersecurity
In one of our recent posts, we wrote about the difficulties of adopting infrastructure automation in a previously static environment. As experience shows, it’s never easy to get accustomed to a tool when the size of your team excels in numbers. Exploring its...
A company has to be mature enough to implement a responsible disclosure policy – or at least mature enough to implement its own tailor-made program. Implementing a responsible disclosure policy can show your security consciousness, yet if you do it wrong, the...
As the enterprise architecture becomes more and more complex, the task of the Chief Security Information Officer (CISO) becomes overwhelming. CISOs have a tough time to find talented cybersecurity professionals to support their job. In an interesting article in...