As companies migrate to a more resilient cloud infrastructure, threat actors continue to turn their attention to the application environment as an entry point into the system. No less than 76% of applications are plagued by at least one security breach, Protecting software must be a priority. Unfortunately, the alarming lack of training and education opportunities has left many developers unprepared to write secure code and build securely designed systems—just when we need them most.
Although we find ourselves at this critical juncture, the gap in cyber security skills is still wide. The constant lack of workplace training to teach employees safe coding principles and how they affect the software development life cycle complicates the situation.
At the same time, threat actors are becoming increasingly capable, and recent high-profile attacks on companies such as SolarWinds and Colonial Pipeline have prompted US President Joe Biden to issue a comprehensive Cyber Security Executive Order This attaches great importance to software security.
Among the many factors that cause the lack of safe coding education in middle school courses, the most prominent is that some teachers do not have enough understanding of the security field, which leads to a gap between academia and industry. In addition, the gap has widened due to constant changes in software development and evolving tool chains. The academic community struggled to keep up, and students missed opportunities to learn critical and much-needed skills.
In college courses that cover cybersecurity, many courses focus on preventing problems caused by bad software security practices, rather than teaching attackers how to manipulate and control systems due to insecure code.
Developers need to understand the basics of how applications face the risks of attack vectors such as SQL injection or command injection. These are specific concepts that are not taught enough in schools, so training modules around secure coding and application security principles must become a necessary condition for any computer science course.
On-the-job training must be meaningful
Since most coders enter the labor market without basic secure coding knowledge, it is becoming more and more important for developers to obtain effective educational opportunities in the workplace to keep up with vulnerabilities and changes in coding best practices.
The good news is More than half North American organizations provide a certain level of security training for developers, but only 29% of organizations need to receive training more than once a year. Although many organizations provide employees with initial security training or self-study modules, temporary, infrequent training does not allow developers to put their learned knowledge into practice. Most importantly, modern training exercises are usually general, tedious, and far from actual defect identification and repair, so it is difficult to retain and perform training in the real world.
In daily life, developers write a bunch of code, and then a week or a month later, security issues will appear. Half the time, another developer fixed the defect, so the person who wrote it never had the opportunity to fix it. This means that the original developers will never apply what they have learned, so they will soon forget the lessons.
Developers have been working hard to learn new coding techniques-this is their DNA. Therefore, lack of interest is not a problem. This is the lack of interesting training options. The trick is to make it meaningful-both fascinating and applicable. Create hands-on learning opportunities so that coders can use and patch real code, get real-time feedback, and then apply these AppSec principles to the code they write. This instant feedback loop helps coders learn and practice application security in real scenarios that reflect their workflow.
Management Dilemma: Risk and Return
The other big challenge facing continuous safety education is completely different and may be more difficult to solve. Due to the constant pressure to generate more code faster, development teams cannot afford to have coders regularly undergo training for hours or days. It cuts production-a measurable cost that is difficult to defend for companies. On the other hand, the risks faced may be much higher.
Management must weigh the risk of production losses against the benefits of security-conscious developers.along with The cost of the data breach is now $424 millionTo provide developers with the knowledge to prevent and fix software defects is worth spending hours of “rerouting” productivity. Helping management prioritize developer education is a daunting task, but the industry must figure this out.
Let developers become heroes
Cyber attacks occur every 39 seconds, If the recent cyber attacks and ransomware incidents show any signs, things will only get worse. It’s time to prioritize secure coding training for budding and existing developers, providing them with the knowledge they need to build secure software from the start. The next generation of developers do not yet know what they will face, but they may just be the heroes we need to benefit our trend.
