Why an Offensive Approach to Security Training is Effective
There is a saying in security that defenders have to be right 100% of the time, but attackers only have to be right once. While this may be an oversimplification, it illustrates that defenders need to understand how attackers think so they can anticipate attacks—the best defenders are those who truly understand offense.
Unfortunately, most training only focuses on defense. This is especially true with secure coding training. Most secure coding training courses either walk through code vulnerabilities and how to write secure code or detail which libraries to use and how to manage a secure software development lifecycle (SDLC). This type of training lacks a discussion of offense, and so gives software developers a one-sided view of secure coding. However, to write secure code developers must understand the minds of an attacker: how one thinks about applications and exploits their weaknesses.
By understanding offensive methods, developers become better defenders. This may make sense conceptually, but there is also a study that shows this is the case. The University of Mannheim study, Evaluation of the Offensive Approach in Information Security Education, found that students who received offensive training discovered more vulnerabilities and achieved higher scores on security tests than students who only had defensive training.
The study found that hands-on offensive security training resulted in:
- An improved ability to write secure software
- A better understanding of how software systems are hacked
- The ability to solve security-related problems faster
Secure coding training should include an offensive component to give students a well-rounded understanding of code vulnerabilities. This will also help keep students engaged by teaching them a new perspective and giving them the chance to think like an attacker.
HackEDU’s Secure Development Training uses hands-on offensive security training techniques as well as defensive instruction.