Secure your code, from the start.

Static Vs. Dynamic Cybersecurity Training: Impulsive Compliance, Future Problems

1st November 2019

It feels like “cybersecurity compliance” has been trending for years, with endless articles, initiatives, and committees discussing how the world should best tackle the enormous, multi-threat beast that is cybercrime.

The problem is, we don’t seem to have made that much progress. Globally, the cost of data breaches has been steadily on the rise, up 12% in five years to settle at approximately $3.92 million USD per breach in 2019. As our use of the internet exploded in just a couple of short decades, many companies were simply left to fight without armor as they rapidly got themselves online, set up shop and dealt with the fallout of insecure software, limited AppSec resources and, in some cases, misuse of customer trust.

These days, we are irrefutably more mature. We understand and discuss at length the scope of the threat, companies are well aware of the impact a cyberattack can have on customer sentiment, their reputation, and their bottom line, and many places are actively seeking to improve software security through compliance training, skilled hiring and increasingly, DevSecOps initiatives. Despite these huge leaps, we’re not winning the fight - not even close. There have been at least four billion records stolen in data breaches in 2019 alone.

One missing ingredient has been a somewhat slow trickle-down (at a government level) on cybersecurity standards, expectations, and consequences of a breach. The advent of GDPR has seen some heads start to roll, at least in Europe, but many government bodies are only now catching up, and the sudden need to abide swiftly to newly bloomed compliance initiatives could have some unwanted effects in the future.

Fools rush in (to the wrong training)

Robust guidelines in the form of NIST, new regulations for New York State and the formation of the UK Cyber Security Council have all been monumental wins for those fighting the good fight in keeping our data safe. They acknowledge the issues in current software development, and take steps to guide organizations on the standards they must now meet to be considered ethical and compliant, in terms of security best practice.

Unfortunately, at this stage, some of the most important elements are a little too open to interpretation. For instance, one of the mandates in the UK Cyber Security Council’s legislation is:

“To create a defined list of certifications and an easy to understand framework of how they all link together and what capabilities they convey, building on the career pathways work undertaken already”.

While their initiatives will undoubtedly improve and grow over time, if organizations are already hitting the panic button and leaping into training now, they might just find themselves ill-equipped for the future.

The cybersecurity demands of an organization change rapidly, and it is unlikely that static training solutions will stem the flow of insecure software at quite the rate required. The landscape changes faster than a traditional course can update, which can see some places fall into the “tick-the-box” compliance exercise trap; developers, contractors, and other security professionals don’t receive adequate training, and we’re back to being sitting ducks.

Static training and static tools suffer from the same problems

Static analysis tools are an integral part of the SDLC, doing their job as scanning workhorses for the scarce and overworked AppSec specialists found in most large organizations. They do a fine job, but there’s a flaw: no “one” tool can scan for every single vulnerability, supporting the huge gamut of programming frameworks out there. It’s also a slow process, and it takes just one security bug making it through the cracks to leave a door open for an attacker.

With static training, there is a similar issue. If developers receive security training as a rigid, “one-and-done” course, it is very unlikely to have kept pace with the most prevalent security issues in that period of time. It serves as a snapshot of the time it was written, and it is rarely revisited enough, delivered in the student’s preferred language and framework, nor is it contextual to the vulnerabilities they are likely to face in their day jobs. Imagine trying to recall one relevant piece of information from a video you watched months ago, while trying to hit delivery deadlines and roll code out the door… it’s unlikely to happen.

Traditional education methods are being reassessed in many industries, but when it comes to security training for developers, you only need to look at the sheer volume of data breaches we still experience (especially those that can be blamed on vulnerabilities we’ve known how to avoid in coding for decades, like SQL injection) to realize that we must try a different way.

We need training that goes beyond the confines of a single, linear course that can flex and adapt to the ever-changing needs of cybersecurity best practices.

Dynamic training: the gold standard

By offering developers a dynamic training solution, one that can be shaped rapidly to business, individual skill level, and general industry movements, you are providing them with the best foundation for coding securely, keeping security front-of-mind and acting with a security-aware mindset.

Training that is one-size-fits-all, never revisited and not engaging in the first place is going to be a complete waste of time, and unfortunately, that means you could end up impulse-buying an ineffective program for the sake of compliance. It could be outdated before you even roll it out, or barely relatable to the needs of their everyday jobs.

Dynamic training is a living, breathing tool that is constantly updated, contextual to day-to-day needs, engages users with critical thinking and actually empowers them to learn skills and fix problems.

So, what does a dynamic training program look like in a security context?

It will be:

  • Bite-sized: Developers can learn skills in manageable chunks that are far easier to remember (and more importantly, apply) than long-winded training decks and videos
  • Relevant: What use is generic security training where the examples are in, say, C#, when the developer mainly codes in Java? Any training should directly apply to their role, allowing them to see what to find and fix (and, ideally avoid in the first place) as they code.
  • Current: This seems obvious, but often isn’t. The cybersecurity landscape is changing all the time, and with more code comes more responsibility. For developers to be your first line of defense, they need training that stays up-to-date with modern security best practices.
  • Engaging: It’s no secret that developers can find “security” a chore, especially if it interferes with their creative flow. The right training will show them the power they hold in solving everyday security issues that can morph into huge risks, building a culture of responsibility and security awareness.
  • Fun: Dynamic training is rarely boring; it is supposed to be at least somewhat exciting by design. Think about what developers love: solving problems, competing with their peers and like many of us in the workforce, rewards and recognition. Play to their strengths and focus on getting the best results.

It’s an exciting time to be a software engineer; they play an integral part in digital innovation, help make amazing companies, and even take the world by storm with their own creations. However, with government bodies and large corporations realizing the part they need to play in setting standards for software security, it’s important to support them with effective, dynamic training solutions that foster a love for secure coding, not a bureaucratic tick-the-box exercise.

Pieter is the Co-Founder and CEO of Secure Code Warrior, as well as a principal instructor for the SANS Institute. He also co-founded BruCON, one of the most awesome hacking conferences on the planet.

View Comments