There’s a question that needs to be asked by every developer, whether you are a graduate or a veteran. And the answer matters. It’s become even more important in an agile world as it will directly impact how successful you will be at software engineering; and how valuable you will be to you next employer.
It’s the million dollar question. Actually, it’s the multi-multi million dollar question!
Are you committed to helping me to code securely?
The average cost of a data breach now stands at USD$3.6M. The odds of your company being breached this year are as high as one in four. Given these facts, I share the frustrations of many that developers aren’t graduating from university with competency in secure coding and security embedded into their DNA.
Why? Software engineering is still a relatively young profession. The emphasis has been on teaching people how to build code quickly, make it elegant and functional, but with very limited focus on making the code secure. The pace of change in methodologies, technologies, languages and opportunities only exacerbates these key skill gaps.
We aren’t going to change the academic system quickly, so developers and companies alike should expect that developers need to learn secure coding skills on the job. In some professions, you can learn by making mistakes, but for others, it isn’t an option. So it is with cyber security.
The facts show that we haven’t done very well with on-the-job developer security training either. Most of the world’s major security breaches are due to coding errors which allow hackers gain privileges on computer networks, enabling them to access and harvest valuable data. The Verizon Data Breach Investigation Report (DBIR) 2017, shows that 30% of all breaches are directly caused by weaknesses in web applications security and this conclusion has been consistent in the DBIR report since 2013.
The 2017 Global DevSecOps Skills Survey released in August 2017, confirmed what we already knew: while 65 percent of DevOps professionals believe it is very important to have knowledge of DevSecOps when entering IT, 70 percent feel they're not receiving the necessary training through formal education to be successful in today's DevSecOps world.
Nearly 40 percent of hiring managers surveyed reported that the hardest employees to find are the all-purpose high-end developers with sufficient knowledge about security testing. 70 percent of respondents said the security education they had received is not adequate for their current positions. In fact, less than 4% said they are afforded the opportunity at all.
I saw this first hand when I spent almost a decade working with multiple teams of professional white-hat hackers. With tragic regularity, we broke into large enterprises, start-ups and government departments; always finding the same weaknesses.
This is why developers need to speak up when you are being hired. If your prospective employer isn’t taking your developer security training seriously, you should think about what sort of company you are considering joining.
The second question you should ask is how they plan to deliver it. Will it be hands-on and interactive? Developer security training on vulnerabilities using slideware, videos, clickable animations, or abstract discussions are unlikely to assist you directly in your coding. Will they ensure you are continually kept up to date with the latest vulnerabilities? Is there a security guild or community where you can learn from? Are there security mavens who can you can fall back to if you need help?
A commitment to your secure coding skills needs continuous learning through hands-on challenges in specific coding frameworks and confronting you with different vulnerabilities in multiple scenarios. You simply cannot learn about SQL injections through one example. You need exposure to multiple examples of diverse types so that you learn to recognise these dangerous coding patterns.
One of our customers required their developers play a single challenge (5 minutes) every day for two months. It tested their skills before and after the training period and observed a 60% increase in secure coding capability over a group of hundreds of developers. This means less resources spent on finding and fixing security bugs later in the life-cycle and significant long-term savings. It means hackers won’t use your code to compromise your company’s data.
There were 11 million professional developers in the world in 2014, according to IDC research. In 2015, Burning Glass found there were as many as 7 million job occupations that required coding skills and that programming jobs were growing on average 12% faster than the market.
There are plenty of software jobs out there. So take a stand and choose employers who are committed to taking care of their security, your security and their customers' security. By extension, chose companies who invest in you.
There’s a question that needs to be asked by every developer, whether you are a graduate or a veteran. And the answer matters. It’s become even more important in an agile world as it will directly impact how successful you will be at software engineering; and how valuable you will be to you next employer. It’s the million dollar question. Actually, it’s the multi-multi million dollar question! Are you committed to helping me to code securely?