Developers are under an immense amount of pressure to deliver more code, more quickly than ever before. A Dimensional Research report from 20201 states that more than half of developers report that they have 100x the volume of code that they did just ten years ago, while 92% of them report that the pressure to release code has increased in the same time span.
With so much emphasis being placed on generating code and meeting software roadmap timelines, it’s not surprising that security is often relegated to secondary importance. More than half of the respondents reported that high security risks are the second biggest challenge they have to deal with as a result of the large volume of code required for the software they produce, after code quality. But while code quality is something that nobody will compromise on, because applications either work properly or don’t, security often gets short shrift. Rod Cope writes about software development security in Information Age, “…the increasing complexity of modern software development environments, not to mention the sheer volume of code and other digital assets being created, often in continuous, fast-paced environments, exacerbates the challenge.”
It’s clear that security can create friction in the software development lifecycle and slow the roadmap down, but why should more developers pay attention to it? IBM’s “Cost of a Data Breach Report – 2020” sheds some light on this question. The average cost of a data breach, globally, was USD3.86M, while in the United States, that number was $8.64M. 16% of the breaches due to malicious attacks were caused by software that had vulnerabilities in it. A strong focus on security can mean the survival of a company that doesn’t have the resources to recover from a breach.
If the potential costs are that large, the natural question is, “Why isn’t security given more prominence during the software development lifecycle?” There are a number of reasons, but the two that are most prominent are related to:
- The use of open source and third party software
- The lack of secure coding training in computer science and software development programs
According to HackEDU’s 2021 Vulnerability Benchmark Report, the use of open source and third party software is cited as one of the biggest problems that companies face when it comes to software security. Synopsys published in its 2020 Open Source Security and Risk Analysis (OSSRA) report that 99% of codebases that were audited contained at least one open-source component. Shockingly, 91% of the codebases contained components that were over four years out of date or had not been actively developed within the previous 2 years.
Companies use open source software because they don’t have the time to “reinvent the wheel”, and developers lean on these components to speed up the development process. While it buys developers speed, the cost, of course, is the risk of vulnerabilities, as the components aren’t being patched to address more recent vulnerabilities.
The other major reason is due to developers’ training. At the time of this article’s writing, none of the Top 40 coding programs in the United States requires secure coding training. Since developers aren’t being imbued with the knowledge and the mindset for security, it doesn’t get the same kind of attention and focus as other aspects of software development. Given that, what can be done to remedy it?
Secure coding training is the solution to the gap in secure development practices. There are numerous ways of educating developers on the topic, from videos to Powerpoint slides to in-person, hands-on training to their web-based counterparts. How do you decide what program is best, and what are the things to look for when evaluating secure coding training options? The questions to ask are:
- Is the training interactive, or hands-on? It’s always more powerful to learn by doing, instead of just by reading
- Are the lessons bite-sized, or monolithic? Bite-sized lessons allow developers to learn, then practice what they’ve learned without spending too much time on what they’re learning
- Is the training seamless, relevant, and fit into their development lifecycle? The ideal scenario is when training is delivered on an “as-needed” basis, based on the challenge that the developer is facing at that particular point in time
- Does the training teach both offensive and defensive skills, or defensive only? Offensive training, combined with defensive training, has been proven to be superior by a University of Mannheim study
- Are the administrative tools robust and allow the administrator to set up, deploy, manage and measure the developers’ progress easily?
While security has traditionally been an overlooked component of a developer’s professional evolution, it plays an increasingly important role. As the number and frequency of malicious attacks rises, security must become a top priority for any coder, as secure coding knowledge will soon become a basic requirement for any software developer when a company evaluates them.