Security is a field that is seeing exponential growth, primarily because it parallels technology’s exponential growth. Companies and individuals who can embrace this will have an edge.
Let Us Advocate for Security Education
Here are a few reasons why:
- “The rate of cybercrimes has grown exponentially and is consistent with the growth of technology. As technology expands and develops, so do the cybercrimes that are committed.” -source
- “As corporations expand their use of IoT devices, their attack surface is expanding as well. Does exponential growth mean exponential risk?”-source
Exponential growth in technology is commonly referenced back to Moore’s Law, which is that technology will double every 2 years. This law has been shown to apply to many technologies like the power and speed of computers, computer memory, and the number of pixels in digital cameras.
Security has to keep up with the pace. One way to stay relevant in an exponential field is to exponentially learn.
In security, this means continually learning about how to identify and fix vulnerabilities. We do this by scanning, testing, and fixing code. But, this process can inevitably slow down the development process.
And as the Software Development Life Cycle (SLDC) becomes increasingly faster, the likelihood of releasing vulnerabilities into production also increases.
Therefore, how can you balance the need for pushing out code quickly with the need for security? We believe there has to be an increase in security education for developers and AppSec team members.
What education is needed to become a cyber security expert?
Security is a team effort by everyone: application security engineers, system administrators, managers, architects, and analysts.
But, developers are the ones who understand the code, and developers are the ones who have to fix vulnerabilities when they are found.
A GitLab survey found that 70% of developers struggled to write secure code and needed better guidance.
Thus, we believe that security education for developers is best when it is:
- introduced right after a security issue is found so it is still fresh in their mind
- integrated into security tools so that developers limit context switching
- clear how it impacts end-users
By incorporating security education into the development process we can make learning easier. We can also increase the ROI, as education is better retained when we immediately apply it.
Fixing vulnerabilities isn’t something where AppSec team members can just click a “fix” button whenever they identify a threat and expect it to go away.
Instead, effective remediation and mitigation of these threats require knowledge, not just of what the threat is, but also how disruptive it could be and the best course of action.
When considering the list of vulnerabilities present in an application, not all findings are equally important. It’s essential to identify which issues are high priority and which ones are not.
For example, if your application relies on third-party libraries or SDKs, you may be adding vulnerabilities to your application if they’re present in the libraries/SDKs you’re using. However, if you never use the problematic portions of code, you should not prioritize mitigation/remediation of these findings.
Sometimes the next steps after identifying a vulnerability are simple: you should apply a security patch or upgrade the library in use. However, sometimes the fix (or remediation) isn’t possible. In that case, the best thing you can do is mitigate the vulnerability (in other words, minimize the possibility that an attacker exploits the vulnerability).
The only way that your AppSec team can effectively address vulnerabilities is to have the education and knowledge necessary to make the best decision for a wide array of situations.
This is where ShiftLeft can help
With our code security platform, ShiftLeft CORE, we help your team prioritize the severity of vulnerabilities in your Dashboard.
Now that we are able to focus, team members become more effective, working only on the most impactful items. This is especially important given that AppSec teams often have significant backlogs of security issues to address.
As we’ve mentioned before, for security education to be effective it needs to be embedded into your security tools. That’s why we’ve partnered with Kontra, a security training company, to create a product that helps teams fix 91% of new vulnerabilities within two sprints.
We created ShiftLeft Educate, a security training platform, to help your team develop the skills needed to ensure your code is secure. It’s better than your standard training videos because it’s embedded within the context of our platform.
With Educate, we help guide your team through every step of the process, in the context of code security tools. This helps you get the most out of your tool, your vulnerabilities, but most importantly your security team.
Cyber Security Education Is More Important Than Ever was originally published in ShiftLeft Blog on Medium, where people are continuing the conversation by highlighting and responding to this story.
*** This is a Security Bloggers Network syndicated blog from ShiftLeft Blog - Medium authored by Randy Gibson. Read the original post at: https://blog.shiftleft.io/cyber-security-education-is-more-important-than-ever-8c3e84739192?source=rss----86a4f941c7da---4