In-depth security training is raising questions in education1st October 2019
Since we began our mission in 2015, our focus has always been on facilitating fun, relevant and engaging secure coding training for developers. We have long recognized the importance of giving developers the knowledge and tools to understand security best practices, why it is important and how they can help fortify software from malicious attacks as code is written.
However, security training is not a new concept. We certainly did not get in first with the initiative, and adequate security measures have been a consideration in software development for a long time. Sure, some types of training are more effective than others, but access to some security education is relatively easy to find, especially today.
… so why the heck do we have so many data breaches? As of September, over four billion records have been exposed across multiple cyberattacks in 2019 alone.
Many organizations are currently fighting a losing battle to keep our increasingly valuable data safe. It has become abundantly clear to CISOs and CIOs all over the world that “shifting left” is still too late; we must start left with security in the SDLC, and that means developers must have adequate security knowledge to fix flaws long before code is committed, let alone out in public.
AppSec specialists cannot be the only gatekeepers of security knowledge.
In the past, software security was the domain of a very particular bunch of clever geeks, with next to no interaction with the engineers writing the code. It was their job to test, break and stop insecure code from seeing the light of day. If they did cross paths, it was likely that it was a result of the security specialist pointing out flaws in the code… something guaranteed to be met with a frosty reception from the developer who slaved over its creation.
Fast-forward to today, and the situation is pretty much the same, except now, there is so much more at stake. Almost every aspect of our lives is digitized… everything from photo albums on social media, medical records, banking, and our most valuable identification documents. It was one thing to protect mostly offline, standalone software and operating systems. It’s quite another to have to defend against threats to billions of lines of code, with hundreds of millions of users potentially at risk. There is simply too much at stake for one group of specialists to shoulder full responsibility, and that is why we must bridge the gap between AppSec and the development team. They need to work together, share knowledge and operate as one cohesive, security-aware unit.
There’s just one problem with that: developers rarely get the opportunity to learn secure coding skills in a meaningful way. Most tertiary education barely touches on security best practice, and on-the-job training varies wildly in quality.
Is it any wonder we’re seeing huge breaches every other day?
A “license to code”.
Despite the gloomy current landscape, I am optimistic about the future of security. There is a change in the air, and I am so buoyed by the immense amount of organizations taking secure coding seriously right now.
It is becoming more and more apparent that developers need access to the right tools and knowledge to mitigate security risk, and that a thriving culture of security awareness is vital in the fight against data breaches. When developers take responsibility for security as code is being written, it becomes far less of a cakewalk for attackers to exploit simple flaws and gain the keys to the castle.
It has always been the case that some developers are more security-aware than others, and this presents a real challenge for organizations. While in-house development teams often have some degree of training and skill monitoring, the waters become very muddied when you introduce contractors, freelancers and recent graduates into the mix. Do they act with a security mindset? Can they successfully avoid age-old flaws like cross-site scripting that have been around for decades? It’s hard to tell, yet they are often let loose on vital parts of a software build. Yikes.
Thankfully, we are seeing an increase in non-negotiable standards for developers. For instance, some organizations are using Secure Code Warrior as a tool to assess development skills and issue a “license to code”. Without passing fundamental secure coding assessments, they’re not able to get to work on any projects. This has been invaluable in helping grads and interns get up to speed with their security skills, while at the same time, instilling a sense of importance to code securely. After all, security must be synonymous with quality when it comes to software.
Extracurricular training is putting universities in the spotlight.
Changing the conversation around secure coding does take more than an article here, a keynote speech there. It needs to be a community-wide movement, and it’s great to see so many top-tier organizations taking notice and building high-level security programs to an enviable standard. One such company is HSBC, whose formidable program is ensuring recent graduates and new hires are on the “start left” journey as soon as possible. As the Head of HSBC India’s Technology Academy, Sekhar Babu Tatavarti has found in-depth security training a must:
“At HSBC Technology, we wanted to ensure that our developer community understands the significance of secure coding to protect the bank from vulnerabilities. In the Grads Training Programme we had this year, we thought it was a massive opportunity to catch them young and enable them to self-learn and ingrain the best secure coding practices before they hit the floor and start coding in their respective projects.
We chose the Secure Code Warrior platform for its wonderful gamification method of learning for the Grads, and they did not belie our expectations. We are delighted that each one of them participated enthusiastically in the tournament in addition to completing the White Belt Certification in different technologies,” he said.
More organizations just like HSBC, are seeing secure coding capabilities as essential at the developer level. And what this has done, in effect, is shine a light on tertiary education as a whole. CISOs and CIOs are starting to question why newly graduated engineers are completing their education without any robust security training.
Tertiary education innovation.
While secure coding needs to become a mandatory component of software engineering at the tertiary level, some universities are leading the charge in providing top-notch training and prioritizing security as part of the development process from the very beginning, rather than the domain of scarce AppSec specialists on the ground.
At the University of Queensland in Australia, Professor Ryan Ko is making significant headway in preparing the next wave of developers to protect us from the inevitable onslaught of cyberattacks:
“Most software vulnerabilities are introduced at the coding stage, so if we can address this at the source (i.e. programmer), we would be able to eradicate most of the recurring problems found in the CVE list today. Since software affects the lives and livelihoods of most of our modern society, there is a moral and social responsibility for universities and training institutions to teach all fledgling programmers how to code securely,” he said.
This is an exciting evolution from standard courses, those offering very little in the way of significant security awareness and skills. And, this is one “virus” I wouldn’t mind spreading further. To my delight, Macquarie University is also infecting their students with a security-first mindset, thanks to the efforts of individuals like Christophe Doche:
“Launched in 2016, the Optus Macquarie University Cyber Security Hub is the first initiative of this kind in Australia, linking academics in information security, business, criminology, intelligence, law, and psychology together with cybersecurity experts from industry and government.
Our mission is to position Australia as a global leader in cybersecurity through education, research, and partnerships. One important aspect of this is to address the well-documented skills gap in cybersecurity with projections showing that 1.8 million jobs will most likely not be filled worldwide in 2022.
Addressing this skills gap requires a multipronged approach, which involves upskilling and reskilling the existing workforce as well as training a new generation of cybersecurity specialists,” he said.
Their approach is incredible, offering high-engagement, precision learning that helps to bridge gaps between departments and create a thriving security awareness heartbeat. They are taking advantage of microlearning in their strategy, offering gamified, bite-sized learning modules with a high rate of retention, engagement and repeat play. I am especially proud that we are able to help them creatively engage their students:
“An excellent example of this engagement is the partnership with Secure Code warrior. After a tournament organized by Secure Code Warrior and the Cyber Security Hub in August 2019, we are now looking at embedding the Secure Code Warrior platform into our curriculum, especially in our new unit on Secure Applications Development,” Christophe said.
Initiatives like those from Macquarie University, and the University of Queensland, are truly pioneering secure coding in the education space. Our aim as AppSec professionals, developers and as a wider security community, must be to bake security into everything we do, and continue our commitment to starting left.