Developing applications is a creative process that also requires coders to be aware of security issues. Secure coding training is critical, but how that training is developed and presented can make a tremendous difference between “checking the box” training – and training that yields results.
The stakes are high. Cybersecurity companies and law enforcement have reported an 800% surge of cyberattacks since the onset of the COVID-19 pandemic. While the average cost of a data breach worldwide is $4.24 million, the average cost of a breach in the United States is a staggering $9.05 million. In 2020, it took companies 280 days, on average, to identify and contain a data breach, which further contributes to the overall cost.
According to Forrester, web applications were the number one attack vector. Injection vulnerabilities have been at the top of the OWASP Web Application Security Risks for more than 14 years. Additionally, more apps are requiring personal data, and new regulations to protect that data are being implemented. Given that the cost to fix code is significantly higher than to create code in production, the pressure on software developers to produce excellent, secure code is enormous. Yet, only 20% of newly hired developers have received secure coding training.
Developers face many challenges, including how to make time for effective training to understand and implement best practices. Surveys show that half of developers report that their codebases have increased 100 times more in volume in the last ten years. More than 90 percent face the pressure to develop faster. Activities that interrupt workflow are not helpful in that environment. One Fortune 500 CISO put it this way: “Developers see secure coding training as a tax to their jobs.” So, when secure coding training is presented, developers must see it as a value-add.
Training formats matter. Video-based training is inexpensive and available at any time, but may not be effective. As with any video running in the background, it can be easily ignored. It is also not interactive, so trainees are not challenged to demonstrate comprehension. Video lessons are not customized to a particular company’s needs. Similarly, online libraries or e-books lack interactivity and guidance. Trainees may feel more like browsers than learners. Conventional hands-on online platforms are accessible, but may also lack the benefit of customization to address developers’ specific needs and questions. In-person learning may be effective, but it is expensive and time-consuming. With time at a premium, in person-learning may not allow trainees to address specific or complex issues when the class needs to cover material without getting diverted.
Content also matters. Effective training addresses both offensive and defensive concepts. Trainees should learn to think like their adversaries and be able to understand how their applications can be attacked. Training should be divided into short, readily grasped concepts so that a trainee can learn a specific item in a 20- to 30-minute span. Training should also be contextual, so that the developers can relate what they are being taught to the job they do every day.
Secure coding training programs are not created equal. Some modes of training may meet compliance standards with regulatory agencies but leave holes in a developer’s understanding of how to effectively solve the most common problems that can lead to exploitable vulnerabilities in their code. With the increase in cyberattacks, rising costs of data breaches, and the significant time lost when a data breach takes place, it’s not enough to rely on time-consuming or out-of-touch training. The key is to provide developers with customizable, interactive real-world scenarios in which they can be trained in consumable portions of time. How developers are trained can make the difference between a costly hack and being secure.