Developers Need Security Training
Security has long taken a back seat to speed when it comes to app development. A Synopsys blog explains one reason why: Developers are builders first. “Developers’ primary job is to create features that work—not to worry about what might go wrong.”
Could it be something more than a focus on the creative, however? Perhaps developers skip security because they lack security training.
Security training for developers should be considered a vital part of their skillset.
“The development team should have basic security knowledge because they own the problems they create and they need to fix them,” said Mark Lambert, vice president of products at ArmorCode, in an email comment. “The AppSec team only helps find the problems, but cannot fix them.”
The Cost of Missed Security
Any time a vulnerability or flaw is found in an app, a cost will be involved, but you may not have given much thought to where the flaws are most expensive. According to the National Institute of Standards and Technology (NIST), Lambert said, it costs five times more to fix a security problem during development, but it costs 30 times more to fix the same problem in production.
Also, the financial impact of basic security knowledge for developers somewhat depends on their level of involvement.
“If your companies’ developers handle deployments or other infrastructure-related configurations like manual certificate renewals, then this could be a game-changer,” Miclain Keffeler, application security consultant at nVisium, said in an email interview.
But there are certain benefits to this approach that are the same across the board, Keffeler added. For example, a huge security gain is made through the simple act of maintaining up-to-date libraries. This corresponds to number six on the Open Web Application Security Project (OWASP) Top Ten.
“If developers were aware of this, it could become more standard practice to issue minor patches as part of regular releases,” Keffeler said.
How to Approach Security Training for the Development Team
Any good training will be relevant to its target audience, which is why a good starting point is the OWASP Top Ten to learn more about the biggest security issues. The SANS Institute offers security training for the development team that includes instruction on how to move through the development stage with security built into the life cycle, as well as training on OWASP’s Top Ten.
Another key point often overlooked is the language being used to develop. “Strongly-typed languages have inherent security gains by nature because they limit the type of data that can be inputted to certain variables marked as certain types,” Keffeler said. “If your organization does not use a strongly-typed language, be sure to do training on specific ways you can gain these security benefits with low-code changes. If your organization does use a strongly-typed language, make sure developers know how to take advantage of it with specific, easy-to-understand examples.”
Developers as Part of the DevSecOps Team
Because DevOps is often its own team, there are two ways to bring developers into the DevSecOps process.
Either InfoSec will train the DevOps team on key things to look for—and work in a consulting role as needed to ensure standards are met with automated checks being introduced into the process as it matures, explained Keffeler, or, alternatively, a security developer will be embedded on the team so that they are a part of the process and can have visibility to ongoing work.
“Each approach has its own merits, but the key point here is that as releases are happening, security is involved. Even more so, when security incidents inevitably happen, organizations can quickly respond because they have security people already in tune with the process so that fixes can get out fast.”
Why Security Training Matters
Ultimately, the output of DevOps is code, said John Bambenek, principal threat hunter at Netenrich, and the goal of DevSecOps should include that the output be secure code.
“Making sure developers know how to code securely would be a huge win and do wonders for taking work off my plate so I can retire … someday,” he said.
