Professional developers want to do the right thing, but in terms of security, they’re rarely set up for success. Organizations must support their top talent with the right training and incentives if they want secure software from the ground up.
As the cyber threat landscape grows more complex by the day, our data is widely considered the highly coveted “digital gold”. Attackers are constantly scanning networks for vulnerable applications, programs, cloud instances, and the latest flavor of the month is APIs, which Gartner correctly predicts will become the most common attack vector in 2022, and this is no small feat for them. Security controls are often lax.
Threat actors are so persistent that sometimes new apps can be compromised and exploited within hours of deployment. The Verizon 2022 Data Breach Investigation Report found that 13% of breaches were caused by errors and misconfigurations, with human factors responsible for 82% of the 23,000 incidents analyzed.
It is becoming increasingly clear that the only way to truly fortify the software being developed is to ensure that it is built on secure code. In other words, the best way to stop a threat actor from attacking is to deny them a foothold in your software in the first place. Cybercriminals have a distinct advantage against organizations struggling to protect their often vast attack surfaces, and any windows of opportunity that can be closed for good significantly reduce the risk.
We make safety stars hard to shine
The current status of developers in many organizations is that their primary role is to create awesome features and deploy software at speed. The faster developers can code and deploy, the more valuable they appear in terms of their performance reviews.
Security, if considered at all, may be an afterthought and conspicuously absent as a measure of developer success. The 2022 State of Developer-Driven Security Survey in conjunction with Evans data supports this perspective, with 86% of developers surveyed revealing that they do not consider application security a top priority. Instead, much of it is left to application security (AppSec) teams to figure out. AppSec teams are a source of frustration for most developers, as they often send completed applications back into development to apply security patches or rewrite code to fix vulnerabilities. And every hour a developer spends working on an app that’s already “done” means they’re not building new apps and features, reducing their performance (and their value, especially in the eyes of a punitive company).
However, the modern threat environment has forced everyone, from companies to government departments, to rethink the importance and priorities of security, and they may be right to consider how a development group fits into a defensive approach. According to a recent 2022 data breach report from IBM and the Ponemon Institute, the average cybersecurity breach now costs about $4.24 million per incident, though that’s not the ceiling. Today’s companies want the security offered by DevSecOps, but, unfortunately, have been slow to reward developers who answer that call.
Asking development teams to only think about security won’t work, especially if they’re still incentivized based solely on speed. In fact, in such a system, developers who take the time to learn about security and secure their code may actually miss out on the good performance reviews and lucrative bonuses that their less-security-aware colleagues are getting. It’s almost as if companies are unwittingly rigging the system for their own lack of security, and it comes back to their understanding of the development team. If they don’t see them as a security front, a viable plan to use their personnel is unlikely to materialize.
And it doesn’t even account for lack of training. Some highly skilled developers have decades of coding experience, but very little when it comes to security… after all, they never needed success or quality work. Unless a company provides a good training program, it cannot expect its developers to suddenly acquire new skills and put them into action in a meaningful way that proactively mitigates vulnerabilities.
(Want to compete with other elite developers from around the world or nominate your own development team of security superstars? join in Secure Code Warriorof 2022 DevolympicsOur biggest and best global secure coding contest, and you can win big!)
Rewarding developers for good security practices
The good news is that the vast majority of developers do their work because they find it both challenging and rewarding, and because they feel respected in their position. Lifelong software engineer Michael Spilt recently wrote about all the things that inspire him and his colleagues in their development work. Yes, he does list financial compensation among those incentives, but it’s surprisingly far down the list. Instead, he prefers the thrill of creating something new, skill development, and the satisfaction of knowing that his work will be used to directly help others. He also talks about wanting to feel valued in his company and community. In short, developers are no different than many good people who take pride in their work.
Developers like Shpilt don’t want actors compromising their code and using it to harm their company or endanger the users they’re trying to help. But, they cannot suddenly shift their priorities to security without support.
To help development teams improve their cybersecurity prowess, they must first be taught the necessary skills. Using a layered approach to learning – as well as purpose-built tools to integrate seamlessly into their actual workflow – can make this process less painful while helping to frame existing knowledge in the right context.
Along with a commitment to upskilling, old practices of evaluating developers based solely on speed must be done away with. Instead, developers should be rewarded based on their ability to create good, secure coding patterns, with the best candidates becoming security champions who help the rest of the team improve their skills. And those champions need to be rewarded with both company reputation and financial compensation. It’s also important to remember that developers typically don’t have a positive experience with security, and uplifting them with positive, fun education and encouragement to match their interests will go a long way to ensuring both knowledge retention and willingness to build skills. .
(Want to compete with other elite developers from around the world or nominate your own development team of security superstars? join in Secure Code Warriorof 2022 DevolympicsAnd you can win big cash prizes in our global tournaments!)