www.darkreading.com Open in urlscan Pro
2606:4700::6811:7563  Public Scan

Form analysis
0 forms found in the DOM

Text Content

The Edge
DR Tech
Sections
Close
Back
Sections
Featured Sections
The Edge
Dark Reading Technology
Attacks / Breaches

Cloud

IoT

Physical Security

Perimeter

Analytics
Security Monitoring

Security Monitoring
App Sec
Database Security

Database Security
Risk
Compliance

Compliance
Threat Intelligence

Endpoint
AuthenticationMobile SecurityPrivacy

AuthenticationMobile SecurityPrivacy
Vulnerabilities / Threats
Advanced ThreatsInsider ThreatsVulnerability Management

Advanced ThreatsInsider ThreatsVulnerability Management
Operations
Identity & Access ManagementCareers & People

Identity & Access ManagementCareers & People
Black Hat news
Omdia Research
Security Now
Events
Close
Back
Events
Events
 * Black Hat Spring Trainings 2022 - February 28 - March 3 - Learn More
   
 * SupportWorld Live: May 15-20, 2022, MGM Grand, Las Vegas, NV
   

Webinars
 * Securing Your APIs: What You Need to Know
   Jan 25, 2022
 * Beyond Spam and Phishing: Emerging Email-based Threats
   Jan 18, 2022

Resources
Close
Back
Resources
White Papers >
Reports >
Issues >
Tech Library >
Slideshows >
Partner Perspectives: Crowdstrike >
Partner Perspectives: Darktrace >

Subscribe
Login
/
Register

The Edge
DR Tech
Sections
Close
Back
Sections
Featured Sections
The Edge
Dark Reading Technology
Attacks / Breaches

Cloud

IoT

Physical Security

Perimeter

Analytics
Security Monitoring

Security Monitoring
App Sec
Database Security

Database Security
Risk
Compliance

Compliance
Threat Intelligence

Endpoint
AuthenticationMobile SecurityPrivacy

AuthenticationMobile SecurityPrivacy
Vulnerabilities / Threats
Advanced ThreatsInsider ThreatsVulnerability Management

Advanced ThreatsInsider ThreatsVulnerability Management
Operations
Identity & Access ManagementCareers & People

Identity & Access ManagementCareers & People
Black Hat news
Omdia Research
Security Now
Events
Close
Back
Events
Events
 * Black Hat Spring Trainings 2022 - February 28 - March 3 - Learn More
   
 * SupportWorld Live: May 15-20, 2022, MGM Grand, Las Vegas, NV
   

Webinars
 * Securing Your APIs: What You Need to Know
   Jan 25, 2022
 * Beyond Spam and Phishing: Emerging Email-based Threats
   Jan 18, 2022

Resources
Close
Back
Resources
White Papers >
Reports >
Issues >
Tech Library >
Slideshows >
Partner Perspectives: Crowdstrike >
Partner Perspectives: Darktrace >
The Edge
DR Tech
Sections
Close
Back
Sections
Featured Sections
The Edge
Dark Reading Technology
Attacks / Breaches

Cloud

IoT

Physical Security

Perimeter

Analytics
Security Monitoring

Security Monitoring
App Sec
Database Security

Database Security
Risk
Compliance

Compliance
Threat Intelligence

Endpoint
AuthenticationMobile SecurityPrivacy

AuthenticationMobile SecurityPrivacy
Vulnerabilities / Threats
Advanced ThreatsInsider ThreatsVulnerability Management

Advanced ThreatsInsider ThreatsVulnerability Management
Operations
Identity & Access ManagementCareers & People

Identity & Access ManagementCareers & People
Black Hat news
Omdia Research
Security Now
Events
Close
Back
Events
Events
 * Black Hat Spring Trainings 2022 - February 28 - March 3 - Learn More
   
 * SupportWorld Live: May 15-20, 2022, MGM Grand, Las Vegas, NV
   

Webinars
 * Securing Your APIs: What You Need to Know
   Jan 25, 2022
 * Beyond Spam and Phishing: Emerging Email-based Threats
   Jan 18, 2022

Resources
Close
Back
Resources
White Papers >
Reports >
Issues >
Tech Library >
Slideshows >
Partner Perspectives: Crowdstrike >
Partner Perspectives: Darktrace >

--------------------------------------------------------------------------------

Subscribe
Login
/
Register
SEARCH
A minimum of 3 characters are required to be typed in the search bar in order to
perform a search.




Announcements
 1. 
 2. 
 3. 

Event
Beyond Passwords: New Thinking and Strategies for Authentication | January 27
Webinar | <REGISTER NOW>
Event
Securing Your APIs: What You Need to Know | January 25 Webinar | <REGISTER NOW>
Event
Beyond Spam and Phishing: Emerging Email-based Threats | January 18 Webinar |
<REGISTER NOW>
PreviousNext

Careers & People

Commentary


CREATING THE NEXT GENERATION OF SECURE DEVELOPERS

Helping management prioritize developer education is a tall order, but it's one
the industry must figure out.
Chris Wysopal
Chief Technology Officer, Veracode
January 03, 2022
Source: JackF via Adobe Stock
PDF


As companies migrate to more resilient cloud infrastructures, threat actors
continue to turn their attention to the application landscape as an entry point
for compromising systems. With no less than 76% of applications plagued by at
least one security flaw, securing software must be a priority. Unfortunately, a
startling lack of training and education opportunities has left many developers
ill-prepared to write secure code and build systems that are secure by design —
right at the time when we need them most.



Despite finding ourselves at this crunch point, the cybersecurity skills gap
remains huge. This is compounded by a consistent lack of workplace training to
teach employees secure coding principles and how they affect the software
development life cycle.

Meanwhile, threat actors are becoming more capable, and recent high-profile
attacks on the likes of SolarWinds and the Colonial Pipeline have prompted US
President Joe Biden to issue a sweeping cybersecurity executive order that puts
significant emphasis on software security.



Among the many factors that play into the lack of secure coding education in the
secondary curriculum, the most glaring is that some faculty simply don't know
enough about the security field, leading to gaps between academia and industry.
Moreover, the gap has grown due to constant changes and evolving tool chains in
software development. Academia struggles to keep up, and students miss out on
opportunities to learn a critical and in-demand skill.



Of the college courses that do cover cybersecurity, many are focused on
protecting against issues caused by poor software security practices as opposed
to teaching how an attacker can manipulate and control a system as a result of
insecure code.

Developers need to understand the basics of how an application can be at risk
from attack vectors such as SQL injection or command injection. These are
specific concepts that aren't being taught enough in school, so training modules
around secure coding and application security principles must become a requisite
of any computer science curriculum.

On-the-Job Training Must Be Meaningful
As most coders enter the workforce without foundational secure coding knowledge,
it's increasingly important that developers have access to effective educational
opportunities in the workplace to keep up with changes in vulnerabilities and
coding best practices.



The good news is more than half of organizations in North America provide
developers with some level of security training, but just 29% require training
more than once a year. While many organizations offer their employees initial
security training or self-taught modules, ad hoc, infrequent training doesn't
empower developers to put what they've learned into practice. On top of that,
modern training exercises are often generic, boring, and far removed from actual
flaw identification and remediation, making it difficult to retain and execute
the training in the real world.

In day-to-day life, a developer writes a bunch of code, and then a week or a
month later, a security issue pops up. Half the time, another developer
remediates the flaw so the person who wrote it never gets the opportunity to fix
it. That means the original developer never applies what they learned and thus
quickly forgets the lesson.

Developers are always trying to learn new coding techniques — it's in their DNA.
So, lack of interest isn't the problem. It's the lack of interesting training
options. The trick is to make it meaningful — both engaging and applicable.
Create hands-on learning opportunities that allow coders to exploit and patch
real code, get real-time feedback, and then apply those AppSec principles to the
code they write. This immediate feedback loop helps coders learn and practice
application security in real-world scenarios that mirror their workflow.

Management Dilemma: Risk vs. Reward
The other big challenge to ongoing security education is altogether different
and, perhaps, even harder to solve. With constant pressure to produce more code
faster, development teams can't afford to lose coders to training for hours or
days at a time on a frequent basis. It cuts into production — a measurable cost
that's hard to defend to the business. On the other hand, what's at stake is
potentially far more costly.

Management must weigh the risk of lost production against the benefit of
security-minded developers. With the cost of a data breach now $424 million,
arming developers with the knowledge to prevent and fix software flaws is worth
a few hours of "rerouted" productivity. Helping management prioritize developer
education is a tall order, but one the industry must figure out.

Make Developers the Hero
Cyberattacks occur every 39 seconds, and if recent examples of cyberattacks and
ransomware incidents are any indication, things are only going to get more
serious. It is time to prioritize secure coding training for both up-and-coming
and existing developers to give them the knowledge they need to build secure
software from the start. The next generation of developers doesn't yet know
what's in store for them, but they may just be the heroes we need to shift the
tide in our favor.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities,
data breach information, and emerging trends. Delivered daily or weekly right to
your email inbox.
Subscribe


Recommended Reading:

More Insights
White Papers
 * 
   Zero Trust and the Power of Isolation for Threat Prevention
 * 
   Zero Trust in Real Life

More White Papers
Webinars
 * 
   Securing Your APIs: What You Need to Know
 * 
   Beyond Spam and Phishing: Emerging Email-based Threats

More Webinars
Reports
 * 
   Zero Trust and the Power of Isolation for Threat Prevention
 * 
   Zero Trust in Real Life

More Reports

Editors' Choice
Log4j Highlights Need for Better Handle on Software Dependencies
Ericka Chickowski, Contributing Writer
Creating the Next Generation of Secure Developers
Chris Wysopal, Chief Technology Officer, Veracode
7 Steps for Navigating a Zero-Trust Journey
Steve Zurier, Contributing Writer
Why CIOs Should Report to CISOs
J.J. Guy, CEO and Co-Founder, Sevco Security
Webinars
 * Securing Your APIs: What You Need to Know
 * Beyond Spam and Phishing: Emerging Email-based Threats
 * Monitoring and Securing Remote and Work-From-Home Environments
 * Closing the Visibility Gap: Microsoft and TLS Protocol Decryption
 * Analytics Workloads for the New Era of AI Applications

More Webinars
White Papers
 * Zero Trust and the Power of Isolation for Threat Prevention
 * Zero Trust in Real Life
 * Protecting Your Mainframe Against Relentless Ransomware
 * 2021 Ransomware Threat Report
 * The Definitive Guide to SASE Security

More White Papers
Events
 * Black Hat Spring Trainings 2022 - February 28 - March 3 - Learn More
 * SupportWorld Live: May 15-20, 2022, MGM Grand, Las Vegas, NV

More Events
More Insights
White Papers
 * 
   Zero Trust and the Power of Isolation for Threat Prevention
 * 
   Zero Trust in Real Life

More White Papers
Webinars
 * 
   Securing Your APIs: What You Need to Know
 * 
   Beyond Spam and Phishing: Emerging Email-based Threats

More Webinars
Reports
 * 
   Zero Trust and the Power of Isolation for Threat Prevention
 * 
   Zero Trust in Real Life

More Reports

DISCOVER MORE FROM INFORMA TECH

 * Interop
 * InformationWeek
 * Network Computing
 * ITPro Today

 * Data Center Knowledge
 * Black Hat
 * Omdia

WORKING WITH US

 * About Us
 * Advertise
 * Reprints

FOLLOW DARK READING ON SOCIAL

 * 
 * 
 * 
 * 


 * Home
 * Cookies
 * Privacy
 * Terms



Copyright © 2022 Informa PLC Informa UK Limited is a company registered in
England and Wales with company number 1072954 whose registered office is 5
Howick Place, London, SW1P 1WG.

This site uses cookies to provide you with the best user experience possible. By
using Dark Reading, you accept our use of cookies.

Accept