Professional developers want to do the right thing, but when it comes to security, they are rarely set up to succeed. Organizations must support their development with precision training and incentives if they want secure software from scratch.
The cyber threat landscape is becoming more complex by the day, with our data widely seen as highly desirable “digital gold”. Attackers are constantly scanning networks for vulnerable apps, programs, cloud instances, and the latest flavor of the month is APIs, with Gartner predict correctly that they would become the most common attack vector in 2022, and that’s largely thanks to their often lax security controls.
Threat actors are so persistent that new applications can sometimes be compromised and exploited within hours of deployment. The 2022 Verizon Data Breach Investigation Report reveals that errors and misconfigurations were the cause of 13% of breaches, with the human element being responsible overall for 82% of the 23,000 incidents analyzed.
It becomes very clear that the only way to truly fortify the software being created is to ensure that it is based on secure code. In other words, the best way to stop threat actors from invading is to first deny them access to your software. Cybercriminals have a clear advantage against organizations scrambling to defend their often vast attack surface, and any window of opportunity that can be closed for good greatly reduces risk.
We keep security stars from shining
The current status quo for developers in many organizations is such that their primary role is to build awesome functionality and deploy software quickly. The faster developers can code and deploy, the more valuable they tend to be in terms of benchmarking.
Security can be an afterthought, if not considered at all, and is conspicuously absent as a measure of developer success. The 2022 Developer-Driven State of Security Survey in collaboration with Evans Data supports this perspective, with 86% of developers surveyed revealing that they do not consider application security to be a top priority. Instead, much of it is left to Application Security (AppSec) teams to figure it out. AppSec teams tend to be a source of frustration for most developers, as they often send completed apps back to development to apply security patches or rewrite code to fix vulnerabilities. And every hour a developer spent working on an already “completed” app was an hour they weren’t building new apps and features, diminishing their performance (and value, in the eyes of a particularly punitive company) .
However, the modern threat environment has forced everyone from enterprises to government departments to rethink the importance and prioritization of security, and they would be well placed to consider how the development cohort fits into a defensive approach. . According to the recent 2022 Cost of a Data Breach Report from IBM and the Ponemon Institute, the average cybersecurity breach now costs around $4.24 million per incident, although that’s not the upper limit. Businesses today want the security offered by DevSecOps, but, unfortunately, have been slow to reward developers who heed that call.
Simply telling dev teams to consider security won’t work, especially if they’re still incentivized based solely on speed. In fact, in such a system, developers who take the time to learn about security and secure their code might actually lose better performance ratings and lucrative bonuses that their less security-aware colleagues keep earning. It’s almost as if the companies are unwittingly rigging the system for their own security shortcomings, and it comes down to their perception of the development team. If they don’t view them as the front lines of security, it’s highly unlikely that a viable plan for utilizing their workforce will materialize.
And that’s not even taking into account the lack of training. Some very capable developers have decades of experience in coding, but very little in security…after all, they’ve never been asked to do so, nor a measure of success or quality of work. Unless a company offers a good training program, it can hardly expect its developers to suddenly learn new skills and put them into action in a meaningful way that actively reduces vulnerabilities.
(Want to compete against other elite developers from around the world or name your own team of security superstar developers? Rejoin Secure Code Warriorit is Development Olympics 2022our biggest and best secure coding tournament in the world, and you could win big!)
Reward developers for their security best practices
The good news is that the overwhelming majority of developers do their job because they find it both challenging and rewarding, and because they enjoy the respect their position carries. Lifetime Software Engineer Michael Shpilt recently wrote about all those things that motivate him and his colleagues in their development work. Yes, it lists monetary compensation among those incentives, but that’s surprisingly far down the list. Instead, he prioritizes the thrill of creating something new, the development of skills, and the satisfaction of knowing that his work is going to be directly used to help others. He also talks about wanting to feel valued within his company and his community. In short, developers are no different from many good people who take pride in their work.
Developers like Shpilt don’t want hackers to compromise their code and use it to harm their business or the users they’re trying to help. But, they can’t suddenly shift their priorities to safety without support.
Helping development teams improve their cybersecurity prowess starts with teaching them the necessary skills. Using a tiered approach to learning – along with tools specifically designed to integrate seamlessly into their actual workflow – can make this process much less tedious while helping to build on existing knowledge in the right context.
With a commitment to upskilling in place, the old methods of evaluating developers based solely on speed must be eliminated. Instead, developers should be rewarded based on their ability to create good, secure coding patterns, with the top candidates becoming safety champions that help the rest of the team improve their skills. And these champions must be rewarded with both corporate prestige and monetary compensation. It’s also important to remember that developers don’t typically have a positive experience with security, and raising them with positive, fun learning and incentives that match their interests will go a long way to ensuring both knowledge retention and the desire to continue to develop their skills. .
(Want to compete against other elite developers from around the world or name your own team of security superstar developers? Rejoin Secure Code Warriorit is Development Olympics 2022and you could win a big cash prize in our global tournaments!)