Adding Security to the Developer’s Workflow
In the modern digital world, the only constant is change. As the rapidly evolving digital landscape fosters new technology and an increasingly connected business ecosystem, security threats are growing too. This means developers today are being asked to perform tasks and accept responsibilities that might not have even existed when they initially started the job.
Pressure on software developers to keep pace with the accelerating speed of digital transformation has seen development and operations teams come closer together to form agile DevOps functions in many organizations. Yet, this prioritization of speed means that security can often take a back seat. Time and again, we’ve seen examples of security breaches that fracture the trust brands have built with their stakeholders, so baking security into the software development cycle as early as possible is imperative.
This means the expectations of the average developer are higher than ever — while they’re being asked to build and push code at faster rates, they are also being asked to code securely and take responsibility for the security of their code. This comes at a time when the threat landscape has never been so vast, with applications under constant watch by malicious actors looking to exploit vulnerabilities.
So, what is a developer to do? Finding success as a modern developer takes more than a few adjustments to accommodate these new responsibilities.
The Developer Past, Present, and Future
The modern developer’s job description is vastly different from the developers of just a few years ago. In the past, the role was focused purely on the creation of code and applications. It was the job of the security team to test code for vulnerabilities.
Today, developers are held more directly responsible for the security of their code. In fact, recent data shows 20% of hiring professionals are looking for different skills in developer candidates than they were pre-pandemic. Additionally, the demand for developers is growing, with hiring for engineering roles up 25% year-over-year from the past two years.
Shifting Security Landscape
Why is there such demand for security knowledge in a field that is focused more on creating software than protecting it? For starters, the recent State of Software Security report found that 76% of applications contain at least one security flaw. Moreover, half of these flaws remain unfixed six months after discovery, demonstrating the importance of regular application security testing. These statistics highlight that security teams are struggling to identify and remediate vulnerabilities on their own. Security teams are beginning to lean on developers to help manage current demands.
Developing the Secure Developer
In response to the changing landscape, developer training and education must adapt to prepare the next generation of defenders for what lies ahead. Currently, only 3% of undergraduate degrees in the U.S. offer cybersecurity, but the demand for this skillset is forcing more schools to include application security in their curriculums. This creates an opportunity for AppSec organizations to partner with academic institutions and help train and mold the next generation of developers.
Some leading technology enterprises are already investing in cybersecurity education. Google recently said it would invest more than $10 billion over the next five years to strengthen cybersecurity and pledged to train 100,000 Americans in technical fields through its Career Certificate program. Additionally, Microsoft committed $20 billion over the next five years to deliver more advanced security tooling and will invest $150 million to help government agencies upgrade security systems and expand cybersecurity training partnerships.
Other organizations are getting creative by involving and partnering with academic institutions to fine-tune the skills of young coders. Hackathons like The Hacker Games, a two week-competition for students to find and fix security flaws as efficiently as they can, are adding cybersecurity to the skillsets of young software developers.
Equally important is showing developers how threat actors work. Helping developers get into the “bad guy” mindset will allow them to better understand how threat actors approach applications from a compromise perspective, providing valuable insight into which areas of their application development process could be potential targets and how best to protect against these threats.
Developers can learn from organizations that provide application security best practices, like the Open Web Application Security Project (OWASP), which recently celebrated its 20-year anniversary and even offers purposely insecure applications, such as a Juice Shop for developers on which to learn and practice application security.
Additionally, for developers currently in the field, implementing security training and secure coding best practices is critical. Some best practices include:
- Integrate security early into the software development lifecycle. Embed AppSec tools into developer tools and make security part of the day-to-day routine.
- Validate inputs: ensure all data is syntactically valid as it enters a system.
- Implement identity, authentication, and access controls by building them into the early stages of development.
- Protect data by encrypting it.
- Log security issues rather than just troubleshooting and moving on.
- Take advantage of established frameworks and respected third-party libraries with secure code and proven security controls.
The National Institute of Standards and Technology (NIST) is already developing industry-wide standards, including the provision of a software bill of materials, to ensure a more secure software supply chain and development environment. As these new standards become a reality, cybersecurity education and training will become more important than ever for transforming developers, present and future, into security advocates and practitioners.”