I am sometimes surprised to see how even those working in the software industry tend to forget where the burden of security lies. Most incidents we experience today stem from defects in the code – actually bugs – committed by software engineers when designing, implementing, and integrating all those systems. But, on the other hand, this is not that surprising, given that software security is usually not included in standard educational programs.
Investing Where it Matters
Let’s face reality: Constrained by resources, many software developers ignore security entirely until they face an incident. Another common issue is tackling information security threats by just focusing on the options thought to be the cheapest. This usually means just going through a checklist for finding some of the most common problems. But is this really the cheapest option? Just think about it: What is the cost of losing reputation when news spreads that your organization has been hacked?
It’s another economic process; the cost of designing software securely in the first place is less than the cost of the bad press after a vulnerability is announced plus the cost of writing and deploying the patch.
Bruce Schneier
Today the software development community realizes that security is interwoven in the whole of the product development lifecycle. But do not forget that while engineers have to be vigilant and – in theory – eliminate every single bug in the code to make a product secure, an intelligent attacker only needs to find a single remaining vulnerability in a rarely-used module to use it as a vehicle for committing cybercrime.
During the 2000s the software industry started to realize the fact that, in the long run, investing in their own employees would be the most effective way of implementing security. Training became the key initial phase in the Microsoft Security Development Lifecycle and is also a standard practice within the Building Security in Maturity Model followed by many entities. Companies started to reserve more and more from their security budget to train their employees, as training tackles the problem of security right at its source- the engineer.
Accountability for Proper Security
But just as we can’t put a policeman on every corner, assigning a dedicated security expert to a development group is not enough (still better though than not doing anything at all). Usually, a single minor oversight by one of the engineers is the root cause of a complete system compromise. The overall average preparedness of all involved software architects, programmers, and testers is what actually counts.
From a project management point of view, it is an easy formula: Your engineers work hard each day and produce vulnerable codes that result in hundreds of security bugs annually. Your organization will need to use resources to test, detect, and correct such vulnerabilities.
An easier option would be to send those programmers to secure coding training and they’ll start to write secure code from their next working day.
Special prudence is needed however to teach security practices to software engineers. The trainer should not only be an experienced software developer himself but also has to have strong security expertise. The courses should be practical but still go into enough theoretical details; the problems demonstrated should be supported by exercises that promote a hands-on experience. If not, developers will forget most of the issues the next day. Classes should be intensive so they don’t pull people away from their everyday work for too long.
Courses at SCADEMY Secure Coding Academy were formed based on decade-long expertise in product security and security research. In this sense, with our courses, we teach what we do. With a track record of thousands of attendees worldwide, the training programs in our portfolio are specifically designed to serve diverse development groups of large companies developing any kind of software.
Secure coding courses by Secure Coding Academy are now available at ITpreneurs. Have a look and find out how you can help your learners meet their cybersecurity goals.
About the author
Management and leadership
International sales in diverse geo and corporate cultures
SDLC – software security, product/application security, security testing
Educating software professionals and security champions on secure coding practices
Vulnerabilities and their mitigation – best practices
Secure coding – C/C++, Java, C#, Python and many other languages and platforms
R&D project planning and management