Why is Secure Development Training Needed?
Secure Development Training, or Secure Coding Training, is training for software developers where they can learn to develop safer code. It usually involves going over top vulnerabilities such as OWASP Top 10 or CWE/SANS Top 25, discusses how to code defensively against these vulnerabilities, and explores best practices for developing secure code.
The vast majority of computer science graduates have never taken secure development training and do not know about types of vulnerabilities or how to defend against them. Universities need to do better. Developers graduate and take a job where most of the time they, again, do not receive secure development training. Many software engineers continue to progress in their careers without getting the secure coding fundamentals that are vital to keeping products safe. These are the same software engineers that are developing the software in your cars, pacemakers, social networks, financial applications, and developing code in your organization. Vulnerabilities increase the risk of data breaches, financial loss, and in the most extreme circumstances can even cause fatalities. Secure development training will reduce the risk of these incidents.
Now, will secure development training stop all vulnerabilities? No. However, it is the first step in reducing the risk of vulnerabilities in software. Software developers need to be part of the solution and take responsibility for their code. Too many times software engineering organizations expect their security team to conduct application security tests and fix the code when issues are found. This does not work for several reasons. First, no one knows the software better than the software developer who coded it. Second, security and software developers should be on the same team with both taking responsibility for the security of the application. Throwing bad code over the fence to security engineers is irresponsible and costly. The further along in the development/production process where a vulnerability is found the more costly it is to find and fix. It is better to do as much as possible from the beginning to stop vulnerabilities at the source.
Many companies do not have secure development training. They are the ones that pay out bug bounties for the same vulnerability type over and over, and the ones that have the same vulnerability types come up in Common Vulnerability Exposures (CVEs) again and again. Training developers stops this pattern, saves money, reduces the risk of a security breach via developed software, and saves time.
If software developers have had secure development training in the past, it doesn’t necessarily mean they remember everything and they may not be up on the latest attacks and defensive techniques. It is important to have the training on a yearly basis to refresh their skills and learn about the latest threats. You wouldn’t trust someone that had CPR training 10 years ago as much as you would someone that had it last year, right? The refresher training will result in a reduction in cost, risk, and the return on investment is huge.
Still don’t know why Secure Development Training is needed? Go ask your software engineers if they know what a Cross-Site Request Forgery (CSRF) vulnerability is and how to defend against it. If they cannot tell you off the top of their head (without confusing it with a Cross-Site Scripting vulnerability, which is common), then that is why you need Secure Development Training.