Secure Code Warrior’s founder Pieter Danhieux explains the importance of a focus on cyber-security from the very start of the development process
While we’re starting to see some light at the end of the tunnel when it comes to the pandemic, it could be years before we fully adjust to the new normal. It’s likely that most organisations will continue to operate with largely remote workforces. For sectors embracing telecommuting for the first time, the influx of new tools and technology designed to support remote workers brought with it a whole new set of vulnerabilities that IT teams were unprepared for.
It’s unsurprising, then, that criminals took advantage of the disruption caused by the mass shift to remote working, launching a barrage of attacks over the past year. In this uncharted territory, traditional cyber-security defences can’t be relied on to shoulder the load; it’s developers that need to step in to become the new front-line defenders.
For organisations to build better defences against cyber-attacks, developers need to be given ownership of their vital role in cyber-security, credit where its due for their successes, and the right, ongoing support. They require up-skilling, resources, and a framework of contextual knowledge about the importance of secure coding. It’s up to business leaders to champion these new approaches to security from the top and empower CISOs, CTOs and security executives to breathe new life into security programmes and developer-centric learning.
Prevention is the best cure
Current cyber-security tools are struggling to keep pace with the constant threat of new and increasingly sophisticated attacks. Traditional tools like firewalls and antivirus software are adept at stopping some attempts. But successful cyber-attacks that slip through such defences take 280 days to identify and cost $1 million to contain on average, according to findings from IBM. The Equifax data breach, for example, which exposed information on 147 million people and cost the company more than $1.7 billion, went undetected for 76 days.
Many organisations are still relying on reactive defences when it comes to cyber-security. The strategy behind this approach is dedicated to either the remediation of bugs in code that has already shipped, or to incident response in the event of a disaster. While this strategy has some merit, it is heavily reliant on tools, and overlooks the human element of security. By investing in their security teams, organisations can gain greater control of the situation, helping to eliminate vulnerabilities before passing that responsibility off onto an overloaded security tool.
Investing in security-conscious developers is key
The skill of a developer has, for a long time, been closely linked to speed, with security as an afterthought. By shifting the focus from speed to security, and supporting developers with viable routes to up-skilling, organisations can improve their whole software pipeline. Business leaders have an opportunity here to reshape this outdated, speed-led culture and prioritise quality, secure code.
Providing relevant, in-depth educational experiences that form the foundation of secure coding skills will help developers to see the wider impact they can have helping to prevent cyber-attacks caused by common vulnerabilities. Coupled with incentives for writing secure code, CISOs and security executives can encourage developers to become a key part of their cyber-security teams.
Developer-centric security is cost effective
According to a study conducted by the IBM System Science Institute, the cost to fix a vulnerability increases by a factor of six once it leaves the development environment. If the vulnerability is uncovered as part of a traditional testing process after the app or programme has been completed, it becomes 15 times more expensive. If a bug or a vulnerability is found once a programme is placed in the production environment, it’s 100 times more detrimental to an organisation’s bottom line.
The initial cost of training developers to write secure code can be quickly justified after only a few vulnerabilities are eliminated before moving down the development pipeline. Instead of paying the price of a security breach, business leaders can invest in up-skilling developers and delivering a more effective, long-term solution.
Staying ahead of the curve
On-the-job skills development programmes often get a bad rap, and often unfairly so. In the case of cyber-security and many areas of technology, this is simply because developments move so fast, that guides written on the subject will be nearing obsolescence before they are finished.
To remain effective, learning should be continuous. Developing a dynamic up-skilling programme can lead to better coding, and higher skilled developers. Some developer-led programmes use learning tools that become a part of the process itself, issuing alerts if the developer writes code with a known vulnerability. They facilitate contextual, digestible teaching moments by explaining how the developer could have completed the same function securely.
Quality code is secure code
Many vulnerabilities exist because developers haven’t followed best practice programming. While familiarising themselves with the latest security practices, developers are also learning how to create higher-quality code.
In today’s world, where organisations are under constant threat of cyber-attack, investing in developers is a smart move for businesses. Vulnerabilities eliminated in the earliest stages of software development don’t go on to become security problems down the line.
While this “prevention is the best cure” approach has helped to counter the chaos caused by the pandemic, organisations should continue to take a developer-centric approach to security, even after we come out the other side.
Pieter Danhieux is co-founder and CEO of Secure Code Warrior
Main image courtesy of iStockPhoto.com