Last Updated on February 24, 2017
Hackers are relentless in their targeted attacks on application-level security vulnerabilities. The way to mitigate these risks is to write more secure code.
Cybercrime risk isn’t the only reason to focus on software security. It’s mandated as part of many information security certifications or audits, such as ISO 27001. It’s also part of regulatory mandates. For example, PCI DSS requirement 6.5 states that firms must:
Train developers in secure coding techniques, including how to avoid common coding vulnerabilities, and understanding how sensitive data is handled in memory.
Yet clearly many developers are not focused on security, because the same well-described vulnerabilities are exploited again and again in new code, and remain unfixed for years in existing code—even thought the patch might take just minutes.
Why? Because software security is not a high priority for most companies. As developers work long and hard to meet tight deadlines and deliver new features faster, security vulnerabilities inevitably creep into the code. But all too often, identifying and mitigating these vulnerabilities is a post-deployment afterthought.
What to do? In the words of Bill Gates: When we face a choice between adding features and resolving security issues, we need to choose security. That means making the creation of a “security culture” a top (and top-down) priority.
Of course, besides being given a mandate to choose security, developers need to know how to choose security. How do hackers exploit code, and how do we stop them? Answering those questions takes more than a one-size-fits-all overview.
Here are the four levels that Pivot Point Security recommends in a best-practice security awareness training program for developers:
Level 1: Establish a common foundation
Every developer has a unique background. Some might’ve had a class on software security at a prior job or in college; others not. The first level of training should provide basic awareness of software security issues for all development team members. It should address questions like: Why is security vital? What’s at stake? Who will be attacking our code and what is their motivation? How will they attack our code and what is my role in stopping them?
Level 2: The secure software development lifecycle
The secure software development lifecycle focus on integrating a security focus into the development team’s daily tasks. How can we design, code, test and deploy more securely? How can we automate security whenever possible? How will this mitigate vulnerabilities in our code?
Level 3: Specific training by application type
Once everyone on the team understands the basics of software security, it’s time to focus on the security issues that impact specific kinds of applications. For example, mobile applications and web applications each have specific concerns, vulnerabilities and best practices. What about emerging challenges like making our applications more secure in the cloud? What are the current attack vectors and best practices for neutralizing them?
Level 4: Highly specific training within each application type
This last training level should drill down into the specific vulnerabilities and best-practices methodologies for each of the specific platforms or technologies your developers are working with. With respect to mobile application development, for instance, developers working with iOS versus Android platforms face very different security challenges and need specific training. Ditto for web app developers working with Java versus .NET. What are the framework’s built-in security features? What are the known vulnerabilities and problems that must be tackled? Relevance is everything at this level.
That might sound like a lot of training, but it can be accomplished quickly and cost-effectively. Few organizations will have the in-house skills to deliver effective training. Fortunately, many training companies offer classes at various levels that utilize every modality from onsite, hands-on labs to online classes to courses at training centers.
Thinking about the cost/benefit equation of developer security training in your organization? Concerned about how this training might fit into your current risk assessment and/or compliance approach? Contact Pivot Point Security to discuss next steps.