Developers need security training – Security Boulevard


Security has long taken a back seat to accelerating application development. A Synopsys blog explains one reason: developers are first and foremost builders. “The main job of developers is to create features that work, without worrying about what might go wrong.”

Could it be something more than a creative focus, though? Maybe developers ignore security because they lack security training.

Security training for developers should be considered an essential part of their skills.

“The development team needs to have basic security knowledge because they own the problems they create and they need to fix them,” said Mark Lambert, vice president of products at ArmorCode, in a comment by e -mail. “The AppSec team only helps find problems, but cannot fix them.”

The cost of missed security

Every time a vulnerability or flaw is found in an application there will be a cost involved, but you may not have given much thought to where the flaws cost the most. According to the National Institute of Standards and Technology (NIST), Lambert said, it costs five times as much to fix a security issue during development, but it costs 30 times as much to fix the same issue in production.

Additionally, the financial impact of basic security knowledge for developers depends somewhat on their level of involvement.

“If your company’s developers are managing deployments or other infrastructure-related setups like manual certificate renewals, that could be a game-changer,” said Miclain Keffeler, application security consultant at nVisium, in an interview. by email.

But this approach has some advantages that are the same across the board, Keffeler added. For example, a huge security gain is achieved by simply keeping the libraries up to date. This corresponds to number six in the Top Ten of the Open Web Application Security Project (OWASP).

“If developers were aware of this, it might become a more common practice to release minor fixes as part of regular releases,” Keffeler said.

How to approach security training for the development team

Any good training will be relevant to its target audience, so a good place to start is OWASP’s Top Ten to learn about the biggest security issues. The SANS Institute offers security training for the development team that includes instructions on how to get through the development stage with security built into the lifecycle, as well as Top Ten training. of OWASP.

Another key point often overlooked is the language used to develop. “Strongly typed languages ​​have inherent security gains in nature because they limit the type of data that can be entered to certain variables marked as certain types,” Keffeler said. “If your organization does not use a strongly-typed language, be sure to receive training on specific ways to achieve these security benefits with low-code changes. If your organization uses a strongly-typed language, ensure Make sure developers know how to take advantage of it with specific, easy-to-understand examples.”

Developers within the DevSecOps team

Since DevOps is often its own team, there are two ways to involve developers in the DevSecOps process.

Either InfoSec will train the DevOps team on key things to look for and work in an advisory role if needed to ensure standards are being met with automated checks introduced into the process as it matures, Keffeler explained, or, alternatively, a security developer be onboarded to the team so they are part of the process and can have visibility into the work in progress.

“Each approach has its own merits, but the key point here is that as releases occur, security is involved. More so, when security incidents inevitably occur, organizations can respond quickly because they have security personnel already in tune with the process so that patches can be released quickly.

Why safety training is important

Ultimately, DevOps output is code, said John Bambenek, principal threat hunter at Netenrich, and the goal of DevSecOps should include that output be secure code.

“Making sure the developers know how to code safely would be a huge win and would do wonders to offload my work so I can retire…one day,” he said.


Comments are closed.