Training exposure: Address secure coding training in your software security program

According to 2019 Verizon Data Breach Investigation Report, 69% of data breaches investigated by Verizon were perpetrated by third parties, 63% were the result of attackers targeting server assets, and nearly 70% of breach incidents were caused by attackers targeting applications. Vulnerable webs. Undoubtedly, there is a substantial link between the vulnerable web applications containing software faults, and data breaches. Since this is the case, what is the main cause of software faults? Almost all origin research points to the lack of education, training, and skills in secure coding.

Application Security Testing (AST) solutions manage and measure your Exposure to software, which helps you accurately understand and significantly reduce your organization’s business risk. Software exposure results from errors made in the design, coding, testing and maintenance of software. Exploitation of these vulnerabilities could make the software unavailable or unreliable to users, or allow attackers to execute unauthorized code, read or modify data, modify a user’s privileges, hide activities or circumvent security controls.

A component of software exposure includes the concept of training exposure as shown in the graph below. This concept begs the question, “Are the developers properly trained and are there specific areas that need strengthening?” If you haven’t fully integrated methods for improving developer education, training, and skills into your DevOps initiatives, your organization is suffering from what we call Checkmarx, training exposure.

Understand the developer’s point of view and role

Time is one of the most valuable resources for developers. Developers are primarily employed to write quality code in today’s fast-paced CI/CD environments and anything that slows them down is seen as a hindrance to their often heavy workloads. Writing secure code is often considered a “nice to have” that is frequently plagued by deadlines, delays, and difficulties.

Software developers are primarily compensated for their ability to write quickly operation code, not necessarily security code. Most weren’t hired to be part of the security team, but they’re in the perfect position to be part of the remedy to the overall problem. Developers have the ability (and often the responsibility) to reduce an organization’s cyber risk factors by significantly reducing an organization’s software exposure. Simply put, developers often need and want solutions that help them write more secure code. But the real question is, “What’s the best way to tackle training exposure head on and get the desired result?”

Work-related training options that don’t always work

Organizations today often require some level of security training for their new hires and existing developers. This is primarily due to the increased level of vulnerability awareness, expanding cyber threat landscape, new and existing regulatory requirements, and other internal and external influences. Organizations rank software security as a top concern, second only to their continued growth and overall business success.

Beyond what is communicated in colleges and universities today, work-related software security training can be experienced in many ways. Unfortunately, lengthy video tutorials, periodic and often extensive classroom training, and tedious online courses are often the norm. The biggest problem with this type of training is that it’s taken out of context of the day-to-day activities developers perform. Moreover, mundane training is always viewed with some level of aversion. Is there a better way to implement interactive training in the code development process itself?

Secure coding education that delivers the desired outcome

Most would agree that the best way to train someone is while they are doing the activity themselves. For example, if someone wanted to train for some kind of athletic competition, they would probably spend most of their training time doing the activity. The same goes for Secure Coding Education (SCE). SCE should be available exactly when it’s needed most, while developers write the actual code that’s part of their day-to-day work.

When you implement training programs that take developers away from their integrated development environments (IDEs), you remove them from their daily coding cycles, which is often seen as disruptive. What is needed is to integrate small training modules relevant directly into a developer’s daily routine. This way, developers don’t have to endure hours of out-of-context training sessions.

As developers write code and a software defect that could lead to an exploitable vulnerability is detected (most commonly through incremental static application security testing (SAST)), developers can skip straight to a training module built into their IDEs. The training module should also be integrated with the SAST solution which highlights the line(s) of code where the defect was detected, as well as the location of the best fix. The module should then “train” the developer on how to fix the software defect in an interactive and rewarding way. This way, the training module is completely contextual, not just to the overall coding activity, but to the defect itself.

This just-in-time training approach has proven effective in helping developers dramatically improve their secure coding capabilities. Since it’s not common for a developer to have the full codebase of a very large software application on their desktop, it’s extremely valuable. Real-time training is the best approach when developers are tasked with fixing a security vulnerability.

What is finally achieved is first, the code defects are fixed, and second, the developers training-maintenance is greatly increased. The next time a similar fault is detected, the developer will probably know how to fix the problem immediately. Eventually, the likelihood of a developer making a similar mistake is greatly reduced and more secure code will become a reality. The desired result is obtained, and training exposure is no longer a contributor to the global software exposure concern.

How to Solve Training Exposure

Integrate Secure Coding Education (SCE) across DevOps to address the risks inherent in training exposure. Here’s an SCE solution that can help your team solve training exposure.

Secure coding training for developers

What to look for: a interactive and engaging software security training platform integrated into the development environment, sharpening the skills developers need to avoid security issues, fix vulnerabilities, and write secure code.

Here are a few other key software security solutions designed to help manage software exposure beyond secure coding education.

Static Application Security Testing

What to look for: ability to automatically scans uncompiled/unbuilt code and identify security vulnerabilities in popular coding languages.

Interactive Application Security Testing

What to look for: ability to continuously monitor application behavior and find vulnerabilities that can only be detected on a running application.

Open-source analysis

What to look for: ability to apply open source analysis as part of the SDLC and manage open source components while being able to ensure that vulnerable components are removed or replaced before they become a problem.

Professional and Managed Services

What to look for: a team of trusted advisors that can help development organizations transform their DevOps initiatives by adding security to their entire SDLC.

With the information provided by these software security solutions, your team can properly prioritize issues and resolve them in a timely manner.

Unify your software security in a single, holistic platform to manage your software exposure. To learn here.

Ryan H. Bowman