DevSecOps in DACH: Key findings from secure coding pilot programs5th March 2020
Cybersecurity best practice has been a hot-button issue for more than a decade, discussed frequently at a government level in most regions all over the world. Cyberattacks are essentially a daily reality, and any entity storing valuable private data online is a potential target. In Germany alone, the Federal Ministry of Education and Research estimates that 96 percent of all small and medium-sized enterprises have already experienced an IT security incident. The same report highlights the urgent need for cybersecurity research, legislation and awareness, with a definitive callout for the inclusion of more robust security training in computer science and IT-related fields.
With the advent of GDPR, as well as a revised strategy following a multi-stage attack that exposed the sensitive data of many public figures - as well as servers in the German federal government - it is clear that cybersecurity awareness and action are front-of-mind for leaders in the DACH region. The late-2018 hack was executed by a 20-year-old student of relatively low skill, with his main access point to highly sensitive information made possible through simply guessing passwords. While this was an extremely concerning authentication exploit, it did highlight the need for far better security awareness at government, business, and societal levels. A 2019 report highlighted that Germany was falling behind in terms of cybersecurity defense initiatives, relying on legislation as the main tactic. However, with the arrival of DevSecOps as an ideal development methodology, many businesses have recognized the need for practical training, secure-by-design software creation, and company-wide security awareness programs.
The software security heartbeat in DACH
Organizations like OWASP and MITRE publish data-verified rankings of the most frequently occurring vulnerabilities. Across all languages, SQL injection ranks at number one, and despite it being decades old it is a common flaw and often exploited with disastrous consequences.
Swiss BPC banking software, SmartVista, was alerted to a SQLi vulnerability by SwissCERT, however, it remained unpatched for months despite its potential to expose sensitive customer data, including credit card numbers. SQL injection can and does lead to dangerous breaches, just like the 2017 breach of multiple government departments and universities in the US and UK. Many of these incidents are caused by lax input validation processes, allowing an attacker to insert malicious code from the front-end of an application. Another common vulnerability source is using insecure vendor code that goes unchecked for security bugs, and flaws are thus introduced into a previously scanned and cleared production environment. Neither of these access points is specific to the DACH region, rather, they are global examples of poor security practices that cannot continue as the world produces more code.
It is imperative to patch issues as soon as they are discovered, and SmartVista’s decision to drag their feet could have been a disaster. While DACH has had its share of breaches, more focused guidelines and support in security awareness and training could prevent potential issues at the organizational level getting out of hand, and this will require legislation that is far more specific in driving assessed training for developers.
Not all secure code training is created equal.
Many cybersecurity directives around the world are becoming more comprehensive, however, they remain rather nonspecific when it comes to outlining effective security training. The NIS directive in the EU does include the requirement for “awareness-raising, training and education” at a national level, but rushing into a training solution may not have the desired outcome of tangible risk reduction if it is missing key elements that drive upskilling developers and organizational change.
Education solutions vary, and training must be specific to the developer’s day job (including the ability to learn in their preferred language and framework) as well as remain engaging and measurable over time.
Static training solutions, such a computer-based video training is often too generic, and rarely revisited or assessed on its success in driving the awareness and skill to stop vulnerabilities entering code as it is being written. Dynamic training, however, is vital in upskilling developers with contextual examples, in addition to providing metrics that influence business mitigation processes. It is updated frequently, promotes a high level of knowledge retention and is part of building security-aware developers that contribute to a positive security culture in their workplace.
Secure Code Warrior data points from DACH pilots:
Secure Code Warrior’s Ema Rimeike, Sales Director (MSc in Cyber Security) has been working closely with organizations in the DACH region, running pilot programs for developers to gauge in-house secure coding competency among developers, their engagement with security best practice, as well as the overall security culture of the business. Utilizing gamified, dynamic secure code training, her key findings reveal a bright future when developers are given the knowledge and tools that foster successful vulnerability reduction from the start of the SDLC.
During her pilot programs, she collated statistics based on an average of 90 minutes spent per user on the Secure Code Warrior (SCW) platform, in which they played 15 secure coding challenges (bite-sized, gamified and self-paced lessons):
Users spent an average time of 5.5 minutes to complete one challenge, versus 3 minutes on average for other global SCW pilots.
- Accuracy vs.Confidence: The DACH pilots registered an average percentage of between 88-92% for confidence in their answers to challenges, yet the accuracy of these answers sat between 53-66%
- Over 75% of surveyed participants prefer gamified - or dynamic - training methods, in contrast to static approaches like computer-based training (CBT).
- Amongst the most frequently seen vulnerabilities, we saw Injection Flaws, Security Misconfiguration, Cross-Site Scripting (XSS), Improper Platform Usage, Access Control, Authentication, Memory Corruption, Cross Site Request Forgery, Insufficient Transport Layer Protection and Unvalidated Redirects and Forwards
It is no secret that, in general, a strong work ethic and focus on precision is valued by many in the DACH region, and the developers trying the pilot program are no exception. These data points speak to their unfamiliarity with this type of training, but also a desire to keep playing, improve their score and avoid using the “hint” feature available. Their desire to learn and improve is evident, but it also shows that more work must be done to implement effective training and awareness within the organization itself.
Great training that reduces risk and thwarts vulnerabilities is not a one-off exercise, and it’s more than compliance. An effort must be made by managers and AppSec personnel to roll out a security awareness program with strategy and support that reflects core security goals and seeks to maintain them long-term. This is, in effect, the backbone of a successful DevSecOps process with security-aware developers.
What does a pilot program reveal to an organization?
Secure Code Warrior’s pilot programs are an incredibly valuable tool in giving businesses a snapshot of their current security health, (usually between 65-75 %), as well as areas for immediate improvement. They reveal:
- Clarity on which vulnerabilities must be addressed as a priority, as well as whether this direction should be applied to a particular team, business unit, or programming language
- An accurate, wider scope of intelligence on the cybersecurity risk factors within their SDLC, encompassing the human factor of software development.
- By leveraging the SCW platform, organizations could predict the potential outcome of pen-testing, and have the opportunity to mitigate those risks up-front, preparing teams before they are even assigned to a specific project.
In organizations that have begun rolling out comprehensive and effective security programs, typically 1-1.5 hours per week of professional development is approved at the management level, to help their developers upskill their secure coding knowledge. However, we are noticing that organisations are moving away from the ‘time spent on platform’ focus to ‘which software development teams are posing the highest and the lowest risk to the business’. This is tightly linked to formalized certification/belting, the discovery of security champions and mentoring programs for best results. The allocation of time, plus constructive and positive assessment is absolutely key to creating security-aware developers that not only like security, but measurably reduce risk to the business.
How do organizations already use Secure Code Warrior?
Several businesses are already using Secure Code Warrior to create awareness, build developers’ skills and scale a positive security culture.
For instance, in one use case, a team training on the platform used SCW to reveal their security strengths and weaknesses:
Developer action: Developers were able to see their own results, showing the areas they should be focusing on and empowered to self-direct, and pace the training to mitigate specific vulnerabilities or knowledge gaps that will assist them in future software builds.
Management action: They analyzed overall strengths and weaknesses at the team level, and were able to prescribe a gamified approach that addresses the specific areas of concern. This created a two-way educational pathway that builds relevant knowledge quickly.
Outcome: Once pentesting at the team level is performed, any vulnerabilities are visible, and comparing previous results made it easy to validate whether training had been effective in reducing common security bugs.
This leads back to the initial stages of software development, wherein pre-training team goals of continuous improvement and introducing security best practices at the start can be effective, easy to roll out, and save time across the entire development scope.
DevSecOps Project Teams
In an ideal DevSecOps environment, multiple business units are represented in a project team to decide upon and deliver core outcomes, one of which is security best practices.
In terms of pre-project research and planning, the SCW platform can evaluate the security skills of the proposed development team before it commences work, predicting eventual pentesting results, and security-related delays in the SDLC with more than enough time to adequately prepare for them. Training specific to the project code and structure can be created for the team to work through, including an assessment/certification process that verifies overall security awareness skills, requiring a preset pass mark before they are set free on the project deliverables.
This offers an approach of immense business value in reducing the cost of fixing vulnerabilities, mitigating security risks, saving time in pentesting, reducing the cost of expensive bounty programs and upskilling the development cohort in a centralised, sustainable, scalable and unified way.
There is increased pressure on businesses to prioritize security, keep our data safe and comply with increasingly tight regulations globally, but especially for organizations trading in the EU under strict GDPR guidelines.
For companies in the DACH region, it is clear that they are making viable security pathways by connecting training effort and outcomes to real-world activities related to the prevention of risks; including the reduction of common vulnerabilities in the code they produce.
To build a truly quantifiable business case for increased security budgets, awareness and overall compliance, training must be engaging for developers, consistent, adaptable and measurable. Tracking current stages of ability to tailor the right training, uncovering security champions and measuring team performance over time are all vital initiatives, and many forward-thinking companies across DACH are realizing the benefits following a comprehensive SCW pilot.
Many companies struggle with security performance metrics that are too generic. With longer-term, consistent use of the SCW platform, businesses could utilize precision assessments, courses, and management metrics to discover:
- Reduction in vulnerabilities over time
- Reduction in cost to fix vulnerabilities over time
- Individual and team skill development over time
- Cost and time reduction at the pentesting stage
What metrics does your organization currently track, how often are they remeasured, and have they shown marked improvement over time? How integrated are your training initiatives in terms of existing developer workflow?
SCW’s dynamic, gamified and comprehensive approach is seen as a crucial part of the Secure Software Development Life Cycle workflow. Businesses are equipping their developers with the right tools and training, as well as embedding SCW as part of their SSDLC workflow.